[c-nsp] Cisco ASA - Configuring Accounting for Network Access

Antonio Soares amsoares at netcabo.pt
Mon Oct 31 13:20:05 EDT 2011 

Thanks. It seems a good alternative to Radius Accounting. I will check that.

 

 

Regards,

 

Antonio Soares, CCIE #18473 (R&S/SP)
 <mailto:amsoares at netcabo.pt> amsoares at netcabo.pt

 <http://www.ccie18473.net> http://www.ccie18473.net

 

 

 

From: harbor235 [mailto:harbor235 at gmail.com] 
Sent: segunda-feira, 31 de Outubro de 2011 17:02
To: Antonio Soares
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco ASA - Configuring Accounting for Network Access

 

Assuming you have a recent version of code (8.2.1 and up) you should enable
netflow version 9

support. This will give you a five tuple of releveant flow information:
<Protocol, Src Address, Src Port, Destination Address, Destination Port>,
perhaps netflow coupled with user info via accounting will

provide you with what you need.

 

Mike

On Mon, Oct 31, 2011 at 12:38 PM, Antonio Soares <amsoares at netcabo.pt>
wrote:

Hello group,

I have a customer that was using a Web Proxy to monitor user access to the
internet. Now the customer is asking me if the ASA can help him monitor the
users access to the internet because the proxy is not working. He wants to
know which users are accessing which sites. The only feature I was able to
find that could help the client is Network Access Accounting:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guid
<http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_gui
de/access_fwaaa.html#wp1151104> 
e/access_fwaaa.html#wp1151104

I made a test in my lab and basically the ASA sends information about the
source-ip:source-port->destination-ip:destination-port to the aaa server.
This should be enough but it is not very practical. The customer wants some
nice real time graphics showing him what users are doing. Do we have any
solution without replacing the ASA with something else ? Is this just me or
the reporting capabilities of the ASA are very basic ?


Thanks.

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net <http://www.ccie18473.net/> 




_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list