monitoring sessions on vpn concentrater 3000

Discussion in 'Cisco' started by Colin Cant, Feb 26, 2005.

  1. Colin Cant

    Colin Cant Guest

    hi ng,

    is it possible and how to mirror sessions witch go via vpn concentrator on
    we have to open up our vpn service to untrusted people, now is there a
    possibility to monitor this network traffic in the vpn tunnel?

    thanks for suggestions
    Colin Cant, Feb 26, 2005
    1. Advertisements

  2. Colin Cant

    Brian V Guest

    If they are unstrusted, why the heck did you give them access rights,
    mistake #1. I would have fought that tooth and nail.

    Things you can do.
    1, Tighten down what they can access. Hopefully you put them in their own
    group. If you didn't, that's mistake #2 and your pretty much screwed. If
    they are in their own group then apply an ACL to that group with what they
    are permited to talk to, ie only the server that they service.
    2, If it's a clientsless app that they are trying to access setup a web VPN
    for them, that way they are being proxied to talk to that app and are never
    really getting inside.
    3, Setup a static IP for them and use a sniffer with a filter to only log
    what they are doing.

    I'm sure there's more ways, but those are what I can think of right now.
    Brian V, Feb 26, 2005
    1. Advertisements

  3. Colin Cant

    Colin Cant Guest

    jo brian,
    it was not my desicion!! i thougt the same way like u did ;-)
    is done already, the are not allowed alot 2-6 servers thats it.
    so if they have static ip based on the username, how or where do i sniff? i
    could just create a mirror port for the hole vlan witch is defined as the
    vpn subnet?
    then i should get the hole traffic not? what about someone identifying
    himself via vpn user/pass and then later changeing the ip adress the vpn
    concentrator asignd him. newer testet this, is this possible? so i gets
    hairy again to monitor.

    Colin Cant, Feb 27, 2005
  4. Colin Cant

    Brian V Guest

    Hi Colin,

    The users IP is determined by the concentrator, under config>>user
    mgmt>>users. If you statically assign them an IP, then simply sniff the
    inside of the concentrator. Make sure you use a filter and only capture the
    traffic from that specific user.

    Not sure what you mean by changing their IP, how would the user have admin
    access to the concentrator? I don't think them statically assigning their IP
    will work. I havn't tested it, but I doubt it.

    Brian V, Feb 27, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.