cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
267692
Views
5
Helpful
13
Comments
Panos Kampanakis
Cisco Employee
Cisco Employee

 

 

 

Under construction

 

 

Introduction

 

Logging in high performance environments is non-trivial. NetFlow on the ASA provides an efficient way to track connection creation, teardown and denies in an efficient manner. This is done by sending binary data in UDP packets as opposed to ASCII based syslog messages. The implementation used on the ASA platforms is NetFlow v9 which is defined by RFC3954

 

The feature was introduced in ASA 8.2.1/ASDM 6.2.1. For information on the feature itself, its functionality and limitations you can read here. The document below presents how to use ASDM to configure the ASA to send Neflow information to the Netflow collector.

 

Configuration

 

Configure the Collector

In ASDM under Configuration go in Device Management > Logging > Netflow.

 

general1.JPG

 

 

There you can set the Netflow collector ip address, the ASA interface it is behind and the port it supports.

You can also set the template packet send frequency and disable syslogs that are redundant after the Netflow information extraction.

general2.JPG

 

 

Configure the Netflow information extraction

To enable the ASA to start sending information to the collector defined above you need to go to Firewall > Service Policy Rules.

sp1.JPG

 

 

You create a new service policy that needs to be applied GLOBALLY.

sp2.JPG

 

 

Define the traffic that you need to collect Netflow statistics for.

sp3.JPG

 

sp4.JPG

 

 

And then define the collector that statistics for this traffic will be sent to (that you defined above).

sp5.JPG

 

 

Finally, you have a Netflow service policy on your ASA.

sp6.JPG

 

 

Finalized configuration

After deploying these changes to the ASA, you configuration for the feature should looke like this.

 

access-list global_mpc extended permit ip any any

!

flow-export destination inside 192.168.1.13 2055

!

class-map global_class

  match access-list global_mpc

!

policy-map global_policy

  class inspection_default

   inspect dns migrated_dns_map_1

     inspect ftp

     inspect h323 h225

     inspect h323 ras

     inspect netbios

     inspect rsh

     inspect rtsp

     inspect skinny

     inspect esmtp

     inspect sqlnet

     inspect sunrpc

     inspect tftp

     inspect sip

     inspect xdmcp

     inspect icmp

  class global_class

   flow-export event-type all destination 192.168.1.13

Comments
Eduardo Camio
Level 1
Level 1

Which asa and asdm software version support this feature?? I'm already running 8.0.4 and 6.1.5 respectively and is not present.

Thanks in advance.

Panos Kampanakis
Cisco Employee
Cisco Employee

The feature was introduced in ASA8.2.1/ASDM6.2.1.

So you would need to upgrade.

jakewilson
Level 1
Level 1

We have been getting a few calls with questions on the uniqueness of the NetFlows exported by the Cisco ASA. Check out this PDF:

http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf

c.pangkerego
Level 1
Level 1

Not sure if this is matter or not but if we're following the pictures, there's a few typos.

It should say:

class-map global-class NOT class-map global_class

class global-class NOT class global_class

santiago.jem
Level 1
Level 1

Hi Gio,

May I know what is the ideal netflow analyzer for the Cisco ASA?

The one you're using or you would recommend. Hope it's free!

Hoping to hear from you soon.

Thank you.

Alcides Miguel
Level 1
Level 1

Hi,

How do I do to cisco ASA export the interfaces names instead of ifindex? and also export the appliance name?

Best regards,

Alcides

jakewilson
Level 1
Level 1

The Cisco ASA will not export an interface option template using NetFlow like IOS.  The only way to get those interface names is via SNMP which is what most NetFlow solutions use to get them.

semills
Community Member

I followed the Configuration above and it works on my ASA that do not have AnyConnect configured on them.  But the ASA with AnyConnect configured do not send data to the Netflow collector.  Below is the sh flow-export counter from one of the effected ASA.  As you can see the collector is pingable.

Lokasa5520# sh flow-export counters

destination: inside 10.89.0.20 2055

  Statistics:

    packets sent                                          5173026

  Errors:

    block allocation failure                                    0

    invalid interface                                           0

    template send failure                                       1

    no route to collector                                       1

Lokasa5520# ping 10.89.0.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.89.0.20, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 100/104/110 ms

Lokasa5520#

walter baziuk
Level 5
Level 5

i have it configure on our 5506x with SF module

how do i configure the FMC VM GUI to accept the netflow

how do i tell it to accept  the port specified sent from the asa and rtr?

Kuat Bakenov
Level 1
Level 1

example change 514 port to 8888

     logging host dmz 1.1.1.1 1/8888

bbiandov
Level 1
Level 1

excellent guide - Thank you! The ASA is a perfect netflow sensor right out of the box!

How do I configure the flow export to send source MAC address as well?

 

Supposedly, this is a feature of Flexible NetFlow.

strosale@cisco.com
Cisco Employee
Cisco Employee

!

 

Access-list [aclname] extended permit ip any any

 

!

class-map [name"A"]

  match access-list [aclname]

!

policy-map global_policy

   class [name"A"]

         flow-export event-type all destination [collector]

!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: