Logging Cisco 837

Tutto ciò che ha a che fare con la configurazione di apparati Cisco (e non rientra nelle altre categorie)

Moderatore: Federico.Lagni

Rispondi
[email protected]
Cisco power user
Messaggi: 83
Iscritto il: mar 20 giu , 2006 9:37 am

Ciao a tutti....possiedo un Cisco 837 e vorrei cortesemente chiedere se è possibile mandare ad un syslog server dei log riguardanti le connessioni VPN IPSEC.
Precisamente ho bisogno di sapere quante volte un determinat utente si logga in vpn..
L'autentifica avviene tramite utenza aaa (LISTA-UTENTI-VPN).
Ecco la conf:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router_Casa
!
boot-start-marker
boot-end-marker
!
no logging console
no logging monitor
enable secret 5 xxx
enable password 7 xxx!
aaa new-model
!
!
aaa authentication login LISTA-UTENTI-VPN local
aaa authorization network GRUPPO-UTENTI-VPN local
!
!
aaa session-id common
clock timezone SOLARE 1
clock summer-time LEGALE recurring last Sat Mar 2:00 last Sat Oct 3:00
no ip dhcp use vrf connected
ip dhcp excluded-address xxx xxx
!
ip dhcp pool casa
import all
network xx xxx
update dns
default-router xxx
dns-server 85.37.17.47
!
ip dhcp update dns both
ip cef
ip name-server 85.37.17.47
ip name-server 151.99.125.3
ip inspect name LOW icmp
ip inspect name LOW tcp
ip inspect name LOW udp
ip ssh time-out 15
ip ssh version 2
ip ddns update method DNS
HTTP
add http://[email protected]/nic/updat ... h>&myip=<a>
interval maximum 2 0 0 0
!
!
multilink bundle-name authenticated
!
!
username xxx privilege 15 password 7 xxx
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxx address xxx no-xauth
crypto isakmp client configuration address-pool local VPN-CLIENT-POOL
!
crypto isakmp client configuration group GRUPPO-UTENTI-VPN
key xxx
pool VPN-CLIENT-POOL
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
!
crypto dynamic-map VPNDYNAMIC 10
set transform-set ESP-3DES-MD5
!
!
crypto map VPN client authentication list LISTA-UTENTI-VPN
crypto map VPN isakmp authorization list GRUPPO-UTENTI-VPN
crypto map VPN client configuration address respond
crypto map VPN 1 ipsec-isakmp
set peer xxx
set transform-set ESP-3DES-MD5
match address 150
crypto map VPN 10 ipsec-isakmp dynamic VPNDYNAMIC
!
!
interface Ethernet0
ip address xxx xxx
ip access-group 100 in
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Ethernet2
ip address yyy yyy
ip access-group DMZ in
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
ip ddns update hostname xxx
ip ddns update DNS host xxx
ip address negotiated
ip access-group 101 in
ip nat outside
ip inspect LOW out
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
ppp chap hostname xx
ppp chap password 7 xx
ppp pap sent-username xxx password 7 xxx
crypto map VPN
!
ip local pool VPN-CLIENT-POOL zzz zzz
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 1200
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 120
ip nat translation dns-timeout 300
ip nat translation icmp-timeout 120
ip nat inside source list 140 interface Dialer0 overload
!
!
ip access-list extended DMZ
deny ip yyy 0.0.0.255 xxx 0.0.0.255
permit ip any any
logging trap errors
access-list 1 permit xxx
access-list 1 remark PERMESSI PER IL TELNET
access-list 1 permit xxx 0.0.0.255
access-list 1 permit zzz 0.0.0.255
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 62.152.126.5 eq ntp any eq ntp
access-list 101 permit udp host 198.41.0.4 eq domain any
access-list 101 permit udp host 85.37.17.47 eq domain any
access-list 101 permit udp host 151.99.125.3 eq domain any
access-list 101 permit tcp 63.208.196.0 0.0.0.255 eq www any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit gre any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit esp any any
access-list 101 permit udp any eq isakmp any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 140 deny ip xxx 0.0.0.255 zzz 0.0.0.255
access-list 140 permit ip yyy 0.0.0.255 any
access-list 140 permit ip xxx 0.0.0.255 any
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 xxx
no modem enable
stopbits 1
speed 115200
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 40 0
privilege level 15
password 7 xxx
transport preferred ssh
transport input all
!
scheduler max-task-time 5000
sntp server 62.152.126.5
end
Top
Rispondi

Torna a “Configurazioni”