USER-ID log from VPN Cisco concentrator
USER-ID log from VPN Cisco concentrator
Dear community, how is everything going ?
Have you ever had to do the following?
We have to integrate a Cisco ASA, with Palo Alto, so that the PA receives from a Cisco ASA and/or Cisco ISE the users to be able to have mapper with USER-ID the users that connect by VPN. ( There is no global protect )
Details:
Cisco ASA --- Cisco ISE ( AAA ) users with any connect - Flows through PA.
They want the Palo Alto firewalls to be able to read the users that when a user connects via VPN to the Cisco ASA, the Palo Alto FW receives the information from the Cisco ASA and/or the Cisco ISE on the PA, so that the User-ID can somehow get that information from those users.
Clarifications, the PA does not have and should not use Global Protect. The Palo Alto FW must receive the information from the Cisco ASA and/or Cisco ISE when VPN users connect, Palo Alto can map them and see them in the User Log fields of the PA when traffic passes through it.
Please can you guide me and/or indicate me how to achieve this goal, at least as a base, limitations, considerations and/or guide to achieve this issue.
Thanks for your time and collaboration
I remain attentive
Best regards
HI master @Reaper What happens master is that this is the way it is.
We have the PA, operating, we have operating two servers with Windows User-Agent, everything is fine from there.
This Firewall this HA of PA is an internal firewall, closer to the servers and applications. Everything operates fine with the Windows User Agent, on two servers, connected to the AD all fine with the User-ID.
Now we need to be able to map the users that connect by VPN from an ASA that is the VPN concentrator, not the PA, the PA does not have GP and the PA fulfills other roles, therefore all well with the User-ID from that scope.
Now what we need is that the ASA or the ISE (AAA of the ASA) sends the logs so that the AP can map those connections.
That is why we must apply a Syslog-Parser for those connections that are born in the ASA and so the AP has the USER-ID of the ASA users and in turn of the mapping of the virtual Ip of the users that are connected by anyconnect.
Users-Endpoint-Anyconnect--------ASA-----------Internal network------PA-internal----Windows Servers-Users Agent OK with the AD and the user recognition.
The missing point to integrate is that source of the USER-ID.
These events to map with syslog parser can help from ASA:
746012Error Message %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \user_name result - reasonExplanation: A new user-IP mapping has been added to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reason is VPN user. The failure reasons include the following: Maximum user limit reached and Duplicated address.
746013Error Message %ASA-5-746013: user-identity: Delete IP-User mapping IP Address - domain_name \user_name result - reasonExplanation: A change has been made to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reasons include the following: Inactive timeout, NetBIOS probing failed, PIP notification, VPN user logout, Cut-through-proxy user logout, and MAC address mismatch. The failure reason is PIP notification.
thank you master for your time and collaboration.
I remain attentive