[c-nsp] Cisco ASA - Configuring Accounting for Network Access

Antonio Soares amsoares at netcabo.pt
Mon Oct 31 13:38:21 EDT 2011


Thanks Ryan. I was reading about that feature and I don't see how the
session information is sent:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acces
s_idfw.html

Do you have experience with this feature ?

Regards,

Antonio Soares, CCIE #18473 (R&S/SP)
amsoares at netcabo.pt
http://www.ccie18473.net


-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: segunda-feira, 31 de Outubro de 2011 17:02
To: Antonio Soares; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco ASA - Configuring Accounting for Network Access

Antonio,

On Mon, Oct 31, 2011 at 12:38:02, Antonio Soares wrote:
> Subject: [c-nsp] Cisco ASA - Configuring Accounting for Network Access
> 
> Hello group,
> 
> I have a customer that was using a Web Proxy to monitor user access to 
> the internet. Now the customer is asking me if the ASA can help him 
> monitor the users access to the internet because the proxy is not 
> working. He wants to know which users are accessing which sites. The 
> only feature I was able to find that could help the client is Network
Access Accounting:
> 
> http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuratio
> n_guid
> e/access_fwaaa.html#wp1151104
> 
> I made a test in my lab and basically the ASA sends information about 
> the source-ip:source-port->destination-ip:destination-port to the aaa
server.
> This should be enough but it is not very practical. The customer wants 
> some nice real time graphics showing him what users are doing. Do we 
> have any solution without replacing the ASA with something else ? Is 
> this just me or the reporting capabilities of the ASA are very basic ?
> 

Have you enabled inspect for HTTP?  Assuming you are running 8.4, if you
upgrade to 8.4.2, identity services are available to pull user information
from AD.  If you send the logging information to a log analysis box, you can
get near time results.

-ryan



More information about the cisco-nsp mailing list