Netflow Analyzer on ASA 5505 with 8.2.2

Andy White · ‎03-20-2010

Hello,

We have a VPN to a remote office. The remote office has a ASA 5505 on firmware 8.2.2 and VPN's to my ASA 5520. It has a 4mb line and sometimes this line hits 4mb's for up to an hour and I need to find out who and what it is. In other offices I have used Netflow Analyzer with my Cisco switches and spanned a port, I was wondering if anyone as setup this up for the ASA as it is now supported in 8.2.x!

http://www.manageengine.com/products/netflow/cisco-netflow.html

Kureli Sankar · ‎03-20-2010

Follow the following configuration:

I will publish a document soon with the following information.

access-list netflow-hosts extended permit ip any any
!
flow-export destination inside 192.168.1.1 2444
flow-export template timeout-rate 1
flow-export delay flow-create 20
!
class-map NetFlow-traffic
match access-list netflow-hosts
!
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
class NetFlow-traffic
flow-export event-type all destination 192.168.1.1

service-policy global_policy global

Show commands:
*show flow-export counters*

Release note link for 8.1.1:
http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn81.html

Release note link for 8.2:
http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html

http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html

supported netflow collectors:

AdventNet that we support according to this link below:

http://www.cisco.com/en/US/prod/iosswrel/ps6537/ps6555/ps6601/networking_solutions_products_genericcontent0900aecd805ff728.html

-KS

Andy White · ‎03-20-2010

I managed to get something working using Netflow Analyzer 7, I have a problem though. For example if I copy 50mb over the VPN from my PC to the remote host Netflow will see my traffic etc my only say I have copied 7mb.

I'm on the road at the moment so will post my configure later if that's ok?

Andy White · ‎03-20-2010

This is what I have added via the Netflow Analyzer website - http://forums.manageengine.com/#Topic/49000003577055

(config)# flow-export destination inside 172.19.5.14 9996
(config)# flow-export template timeout-rate 1
(config)# flow-export delay flow-create 60
(config)# logging flow-export disable
(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export
(config)# policy-map netflow-export-policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type all destination 172.19.5.1
(config)#service-policy netflow_export_policy global

I just seem to get the wrong amount of data being detected but all the correct source and destination info and protocol info. I just want to see that if 100mb from a PC inside the ASA send it through the ASA's VPN it will see this as 100MB and not 7mb or there abouts.

Kureli Sankar · ‎03-20-2010

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1933839

In the acl instead of matching ip any any, just match this file copying hosts in question and see if you see correct data. Refer this link to specify via access-list

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html#wp1115827

You have 172.19.5.14 and 172.19.5.1 ?? Which one is correct? You have 172.19.5.1 configured as a destination also?

-KS

Andy White · ‎03-21-2010

At this remote site 172.19.5.1 is the ASA and I need to monitor everything going through the ASA on the 172.19.5.x LAN.

The ASA is setup as a VPN to our HQ and all the traffic is pushed down this evern the internet. Someone or something is using all the bandwidth from time to time and I need to find out. I normally use Netflow on Cisco switches and span a port which works great, I've never used an ASA with Netflow before.

I'm monitoring all the inside traffic I believe and pushing the Neflow data to a PC there on 172.19.5.14. It sees the source and destination traffic and protocols, but incorrect volumes of traffic. I just transfers 30mb over the VPN from the HQ to 172.19.5.14 and it said I trasfered 500kb.