Cisco Pix - Authenticated VPN Users
Moderators: Developers, Moderators
Cisco Pix - Authenticated VPN Users
Hello,
here is a template for the Cisco Pix firewall, which shows the number of authenticated VPN users.
Unfortunetly I find no way to get the number of authenticated users using snmp.
Because of this I wrote a Perl script, which connects over telnet to the firewall , executes the command "sh unauth" and calculates the number of connected users.
Installation Instructions:
1. extract the file pix-vpn-users.zip and copy pix-vpn-users.pl into <path_cacti>/scripts/pix-vpn-users.pl
2. Import the Template cacti_graph_template_cisco_vpn_active_vpn_users.xml
3. Allow Telnet connection to firewall
4. If you don't need a username for telnet login, delete the input field username from "Data Input Methods" --> "Cisco VPN - Active VPN users" in Cacti Gui.
Regards
Speedy
here is a template for the Cisco Pix firewall, which shows the number of authenticated VPN users.
Unfortunetly I find no way to get the number of authenticated users using snmp.
Because of this I wrote a Perl script, which connects over telnet to the firewall , executes the command "sh unauth" and calculates the number of connected users.
Installation Instructions:
1. extract the file pix-vpn-users.zip and copy pix-vpn-users.pl into <path_cacti>/scripts/pix-vpn-users.pl
2. Import the Template cacti_graph_template_cisco_vpn_active_vpn_users.xml
3. Allow Telnet connection to firewall
4. If you don't need a username for telnet login, delete the input field username from "Data Input Methods" --> "Cisco VPN - Active VPN users" in Cacti Gui.
Regards
Speedy
- Attachments
-
- cacti_graph_template_cisco_vpn_active_vpn_users.xml
- import from GUI
- (10.26 KiB) Downloaded 4087 times
-
- pix-vpn-users.zip
- extract file and copy to /scripts/pix-vpn-users.pl
- (895 Bytes) Downloaded 3556 times
-
- graph_image.php.png (17.51 KiB) Viewed 50893 times
Last edited by speedy on Tue Jun 27, 2006 2:21 am, edited 3 times in total.
Hi Speedy,
Thanks for the quick reply. I'm still not sure if it is executing correctly, because maybe I'm running it wrong at the command line. I typed:
C:\cacti2\scripts>pix-vpn-users.pl -r <ipaddress router> -u <> -p <password> -e <enable>
> was unexpected at this time.
Note that the username is null and in cacti I allowed it to have a null value. Also when I write <null> as username or when I write the hostname instead of the IP address of the router, it says that the syntax is incorrect. Can I do it diferently?
Regards
Thanks for the quick reply. I'm still not sure if it is executing correctly, because maybe I'm running it wrong at the command line. I typed:
C:\cacti2\scripts>pix-vpn-users.pl -r <ipaddress router> -u <> -p <password> -e <enable>
> was unexpected at this time.
Note that the username is null and in cacti I allowed it to have a null value. Also when I write <null> as username or when I write the hostname instead of the IP address of the router, it says that the syntax is incorrect. Can I do it diferently?
Regards
By the way,
Since you are a PIX user as well, maybe you can help me with this problem:
http://forums.cacti.net/viewtopic.php?t ... highlight=
If not, no hard feelings ofcourse.
Regards
Since you are a PIX user as well, maybe you can help me with this problem:
http://forums.cacti.net/viewtopic.php?t ... highlight=
If not, no hard feelings ofcourse.
Regards
Hi,
Thanks for updating so fast Speedy, well ofcourse, that's why you're called Speedy.
Now, I have one problem left. I looked at the poller when it runs. It doesn't seem to recognize the password of the router, or at least part of the password. It tells me that: &xcvjk (example password), is not recognized as an internal or external command.
Is it possible that it's because of the & character?
Regards
Thanks for updating so fast Speedy, well ofcourse, that's why you're called Speedy.
Now, I have one problem left. I looked at the poller when it runs. It doesn't seem to recognize the password of the router, or at least part of the password. It tells me that: &xcvjk (example password), is not recognized as an internal or external command.
Is it possible that it's because of the & character?
Regards
Hey Speedy, thanks for the template!
I've been desperate to find a way to monitor VPN connections to a couple of PIXen and a couple of 2600 routers. Like you, I haven't found any SNMP/MIB support for VPN monitoring.
Having seen your script, I'm wondering if I might be able to edit it for use with Nagios to verify specific tunnels. If you know how to do this already, please share!
I've been desperate to find a way to monitor VPN connections to a couple of PIXen and a couple of 2600 routers. Like you, I haven't found any SNMP/MIB support for VPN monitoring.
Having seen your script, I'm wondering if I might be able to edit it for use with Nagios to verify specific tunnels. If you know how to do this already, please share!
Hi,
sorry there was a mistake in the new script. Please download the new version.
For the password problem try to put the password into quotes. Normally the chracter & is used for command execution.
There is no problem to use the script to execute other commands. You only have to replace the command in the line "print $handle "sh uauth\n";" and change the section for output handling.
Otherwise take a look at the MRAT Tool:
http://www.serreyn.com/software/mrat/
Regards
speedy
sorry there was a mistake in the new script. Please download the new version.
For the password problem try to put the password into quotes. Normally the chracter & is used for command execution.
There is no problem to use the script to execute other commands. You only have to replace the command in the line "print $handle "sh uauth\n";" and change the section for output handling.
Otherwise take a look at the MRAT Tool:
http://www.serreyn.com/software/mrat/
Regards
speedy
No problem for you maybe... I, on the otherhand, will spend a week pouring over the meaning of everything in the output section.speedy wrote: There is no problem to use the script to execute other commands. You only have to replace the command in the line "print $handle "sh uauth\n";" and change the section for output handling.
replace & with \&RUM wrote:Hi,
Thanks for updating so fast Speedy, well ofcourse, that's why you're called Speedy.
Now, I have one problem left. I looked at the poller when it runs. It doesn't seem to recognize the password of the router, or at least part of the password. It tells me that: &xcvjk (example password), is not recognized as an internal or external command.
Is it possible that it's because of the & character?
Regards
cacti rulez!
revisting this
check out remote-access under the CLI in ver 7.2.1... I believe this may be what you are looking for
per the cli:
per the cli:
granted, it is for thresholding, at least you can trigger an snmp trapremote-access Configure SNMP trap threshold for VPN remote-access
sessions
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Who is online
Users browsing this forum: No registered users and 0 guests