03-20-2010 01:54 AM - edited 03-11-2019 10:24 AM
Hello,
We have a VPN to a remote office. The remote office has a ASA 5505 on firmware 8.2.2 and VPN's to my ASA 5520. It has a 4mb line and sometimes this line hits 4mb's for up to an hour and I need to find out who and what it is. In other offices I have used Netflow Analyzer with my Cisco switches and spanned a port, I was wondering if anyone as setup this up for the ASA as it is now supported in 8.2.x!
http://www.manageengine.com/products/netflow/cisco-netflow.html
03-20-2010 07:00 AM
Follow the following configuration:
I will publish a document soon with the following information.
access-list netflow-hosts extended permit ip any any
!
flow-export destination inside 192.168.1.1 2444
flow-export template timeout-rate 1
flow-export delay flow-create 20
!
class-map NetFlow-traffic
match access-list netflow-hosts
!
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class NetFlow-traffic
flow-export event-type all destination 192.168.1.1
service-policy global_policy global
Show commands:
*show flow-export counters*
Release note link for 8.1.1:
http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn81.html
Release note link for 8.2:
http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html
http://www.cisco.com/en/US/docs/security/asa/asa82/netflow/netflow.html
supported netflow collectors:
AdventNet that we support according to this link below:
http://www.cisco.com/en/US/prod/iosswrel/ps6537/ps6555/ps6601/networking_solutions_products_genericcontent0900aecd805ff728.html
-KS
03-20-2010 07:10 AM
I managed to get something working using Netflow Analyzer 7, I have a problem though. For example if I copy 50mb over the VPN from my PC to the remote host Netflow will see my traffic etc my only say I have copied 7mb.
I'm on the road at the moment so will post my configure later if that's ok?
03-20-2010 01:56 PM
This is what I have added via the Netflow Analyzer website - http://forums.manageengine.com/#Topic/49000003577055
(config)# flow-export destination inside 172.19.5.14 9996
(config)# flow-export template timeout-rate 1
(config)# flow-export delay flow-create 60
(config)# logging flow-export disable
(config)# access-list netflow-export extended permit ip any any
(config)# class-map netflow-export-class
(config-cmap)#match access-list netflow-export
(config)# policy-map netflow-export-policy
(config-pmap)# class netflow-export-class
(config-pmap-c)# flow-export event-type all destination 172.19.5.1
(config)#service-policy netflow_export_policy global
I just seem to get the wrong amount of data being detected but all the correct source and destination info and protocol info. I just want to see that if 100mb from a PC inside the ASA send it through the ASA's VPN it will see this as 100MB and not 7mb or there abouts.
03-20-2010 07:45 PM
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1933839
In the acl instead of matching ip any any, just match this file copying hosts in question and see if you see correct data. Refer this link to specify via access-list
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html#wp1115827
You have 172.19.5.14 and 172.19.5.1 ?? Which one is correct? You have 172.19.5.1 configured as a destination also?
-KS
03-21-2010 12:53 AM
At this remote site 172.19.5.1 is the ASA and I need to monitor everything going through the ASA on the 172.19.5.x LAN.
The ASA is setup as a VPN to our HQ and all the traffic is pushed down this evern the internet. Someone or something is using all the bandwidth from time to time and I need to find out. I normally use Netflow on Cisco switches and span a port which works great, I've never used an ASA with Netflow before.
I'm monitoring all the inside traffic I believe and pushing the Neflow data to a PC there on 172.19.5.14. It sees the source and destination traffic and protocols, but incorrect volumes of traffic. I just transfers 30mb over the VPN from the HQ to 172.19.5.14 and it said I trasfered 500kb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide