Netflow Analyzer on ASA 5505 with 8.2.2

Unanswered Question
Mar 20th, 2010


We have a VPN to a remote office.  The remote office has a ASA 5505 on firmware 8.2.2 and VPN's to my ASA 5520.  It has a 4mb line and sometimes this line hits 4mb's for up to an hour and I need to find out who and what it is.  In other offices I have used Netflow Analyzer with my Cisco switches and spanned a port, I was wondering if anyone as setup this up for the ASA as it is now supported in 8.2.x!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Sat, 03/20/2010 - 07:00

Follow the following configuration:

I will publish a document soon with the following information.

access-list netflow-hosts extended permit ip any any
flow-export destination inside 2444
flow-export template timeout-rate 1
flow-export delay flow-create 20
class-map NetFlow-traffic
match access-list netflow-hosts
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
class NetFlow-traffic
  flow-export event-type all destination

service-policy global_policy global

Show commands:
*show flow-export counters*

Release note link for 8.1.1:​ml

Release note link for 8.2:​ml

supported netflow collectors:

AdventNet that we support according to this link below:​lutions_products_genericcontent0900aecd805ff728.html


Andy White Sat, 03/20/2010 - 07:10

I managed to get something working using Netflow Analyzer 7, I have a problem though. For example if I copy 50mb over the VPN from my PC to the remote host Netflow will see my traffic etc my only say I have copied 7mb.

I'm on the road at the moment so will post my configure later if that's ok?

Andy White Sat, 03/20/2010 - 13:56

This is what I have added via the Netflow Analyzer website -

(config)# flow-export destination inside 9996
(config)# flow-export template timeout-rate 1
(config)# flow-export delay flow-create 60
(config)# logging flow-export disable
(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export
(config)# policy-map netflow-export-policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type all destination
(config)#service-policy netflow_export_policy global

I just seem to get the wrong amount of data being detected but all the correct source and destination info and protocol info.  I just want to see that if 100mb from a PC inside the ASA send it through the ASA's VPN it will see this as 100MB and not 7mb or there abouts.

Kureli Sankar Sat, 03/20/2010 - 19:45

In the acl instead of matching ip any any, just match this file copying hosts in question and see if you see correct data. Refer this link to specify via access-list

You have and ?? Which one is correct? You have configured as a destination also?


Andy White Sun, 03/21/2010 - 00:53

At this remote site is the ASA and I need to monitor everything going through the ASA on the 172.19.5.x LAN.

The ASA is setup as a VPN to our HQ and all the traffic is pushed down this evern the internet.  Someone or something is using all the bandwidth from time to time and I need to find out.  I normally use Netflow on Cisco switches and span a port which works great, I've never used an ASA with Netflow before.

I'm monitoring all the inside traffic I believe and pushing the Neflow data to a PC there on  It sees the source and destination traffic and protocols, but incorrect volumes of traffic.  I just transfers 30mb over the VPN from the HQ to and it said I trasfered 500kb.


This Discussion