Cacti (home)ForumsDocumentation
Cacti: offical forums and support
It is currently Fri Jul 19, 2019 4:19 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 21 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Cisco Pix - Authenticated VPN Users
PostPosted: Fri Jun 23, 2006 4:59 am 
Offline

Joined: Fri Jun 23, 2006 4:13 am
Posts: 5
Hello,

here is a template for the Cisco Pix firewall, which shows the number of authenticated VPN users.

Unfortunetly I find no way to get the number of authenticated users using snmp.
Because of this I wrote a Perl script, which connects over telnet to the firewall , executes the command "sh unauth" and calculates the number of connected users.

Installation Instructions:

1. extract the file pix-vpn-users.zip and copy pix-vpn-users.pl into <path_cacti>/scripts/pix-vpn-users.pl
2. Import the Template cacti_graph_template_cisco_vpn_active_vpn_users.xml
3. Allow Telnet connection to firewall
4. If you don't need a username for telnet login, delete the input field username from "Data Input Methods" --> "Cisco VPN - Active VPN users" in Cacti Gui.

Regards

Speedy


Attachments:
File comment: extract file and copy to /scripts/pix-vpn-users.pl
pix-vpn-users.zip [895 Bytes]
Downloaded 3331 times
graph_image.php.png
graph_image.php.png [ 17.51 KiB | Viewed 43812 times ]
File comment: import from GUI
cacti_graph_template_cisco_vpn_active_vpn_users.xml [10.26 KiB]
Downloaded 3667 times


Last edited by speedy on Tue Jun 27, 2006 2:21 am, edited 3 times in total.
Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 4:16 am 
Offline

Joined: Thu Jun 22, 2006 3:43 am
Posts: 20
Hi Speedy,

Thanks for the Template. It's a nice, useable feature.

I was able to get the graph shown, but there is no data on it. Do you know how it's possible?

Thanks in advance


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 4:34 am 
Offline

Joined: Fri Jun 23, 2006 4:13 am
Posts: 5
Hi,

maybe the perl script isn't executed correctly.
Please check if you are able to execute the script from the command line:

./pix-vpn-users.pl -r <router> -u <username> -p <password> -e <enable password>

You should get the number of connected vpn users.

Regards

speedy


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 4:57 am 
Offline

Joined: Thu Jun 22, 2006 3:43 am
Posts: 20
Hi Speedy,

Thanks for the quick reply. I'm still not sure if it is executing correctly, because maybe I'm running it wrong at the command line. I typed:

C:\cacti2\scripts>pix-vpn-users.pl -r <ipaddress router> -u <> -p <password> -e <enable>
> was unexpected at this time.

Note that the username is null and in cacti I allowed it to have a null value. Also when I write <null> as username or when I write the hostname instead of the IP address of the router, it says that the syntax is incorrect. Can I do it diferently?

Regards


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 5:46 am 
Offline

Joined: Fri Jun 23, 2006 4:13 am
Posts: 5
Hi RUM,

at the moment the script isn't able to handle a blank username. I will change it and post the new version.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 5:47 am 
Offline

Joined: Thu Jun 22, 2006 3:43 am
Posts: 20
Thanks I will keep an eye on this topic for updates.

Regards


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 5:51 am 
Offline

Joined: Thu Jun 22, 2006 3:43 am
Posts: 20
By the way,

Since you are a PIX user as well, maybe you can help me with this problem:

http://forums.cacti.net/viewtopic.php?t ... highlight=

If not, no hard feelings ofcourse.

Regards


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 7:56 am 
Offline

Joined: Fri Jun 23, 2006 4:13 am
Posts: 5
I have updated the scripts. Please delete the username from the Data Input method "Cisco VPN - Active VPN users" if you don't want to use a username for telnet login.

Regards

speedy


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 9:43 am 
Offline

Joined: Thu Jun 22, 2006 3:43 am
Posts: 20
Hi,

Thanks for updating so fast Speedy, well ofcourse, that's why you're called Speedy.

Now, I have one problem left. I looked at the poller when it runs. It doesn't seem to recognize the password of the router, or at least part of the password. It tells me that: &xcvjk (example password), is not recognized as an internal or external command.

Is it possible that it's because of the & character?

Regards


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 26, 2006 11:19 am 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
Hey Speedy, thanks for the template!

I've been desperate to find a way to monitor VPN connections to a couple of PIXen and a couple of 2600 routers. Like you, I haven't found any SNMP/MIB support for VPN monitoring.

Having seen your script, I'm wondering if I might be able to edit it for use with Nagios to verify specific tunnels. If you know how to do this already, please share! :)


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jun 27, 2006 2:33 am 
Offline

Joined: Fri Jun 23, 2006 4:13 am
Posts: 5
Hi,

sorry there was a mistake in the new script. Please download the new version.

For the password problem try to put the password into quotes. Normally the chracter & is used for command execution.

There is no problem to use the script to execute other commands. You only have to replace the command in the line "print $handle "sh uauth\n";" and change the section for output handling.

Otherwise take a look at the MRAT Tool:
http://www.serreyn.com/software/mrat/

Regards

speedy


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jun 27, 2006 4:15 pm 
Offline
Cacti User

Joined: Wed Sep 28, 2005 1:39 pm
Posts: 495
speedy wrote:
There is no problem to use the script to execute other commands. You only have to replace the command in the line "print $handle "sh uauth\n";" and change the section for output handling.


No problem for you maybe... :) I, on the otherhand, will spend a week pouring over the meaning of everything in the output section.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Sep 25, 2006 1:40 pm 
Offline
Cacti User

Joined: Thu Jul 07, 2005 11:53 am
Posts: 50
Location: Mass, USA
Has anyone wrote a script that uses ssh instead of telnet?

Thanks :D


Top
 Profile  
 
 Post subject:
PostPosted: Thu Sep 28, 2006 8:30 am 
Offline
Cacti User

Joined: Thu Oct 06, 2005 5:03 am
Posts: 402
RUM wrote:
Hi,

Thanks for updating so fast Speedy, well ofcourse, that's why you're called Speedy.

Now, I have one problem left. I looked at the poller when it runs. It doesn't seem to recognize the password of the router, or at least part of the password. It tells me that: &xcvjk (example password), is not recognized as an internal or external command.

Is it possible that it's because of the & character?

Regards


replace & with \&

_________________
cacti rulez!


Top
 Profile  
 
 Post subject: revisting this
PostPosted: Tue Oct 24, 2006 8:34 am 
Offline
Cacti Pro User
User avatar

Joined: Thu Nov 21, 2002 8:55 am
Posts: 703
Location: Austin, TX
check out remote-access under the CLI in ver 7.2.1... I believe this may be what you are looking for

per the cli:

Quote:
remote-access Configure SNMP trap threshold for VPN remote-access
sessions


granted, it is for thresholding, at least you can trigger an snmp trap

_________________
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 21 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

Protected by Anti-Spam ACP Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group