We have a VPN to a remote office. The remote office has a ASA 5505 on firmware 8.2.2 and VPN's to my ASA 5520. It has a 4mb line and sometimes this line hits 4mb's for up to an hour and I need to find out who and what it is. In other offices I have used Netflow Analyzer with my Cisco switches and spanned a port, I was wondering if anyone as setup this up for the ASA as it is now supported in 8.2.x!
I managed to get something working using Netflow Analyzer 7, I have a problem though. For example if I copy 50mb over the VPN from my PC to the remote host Netflow will see my traffic etc my only say I have copied 7mb.
I'm on the road at the moment so will post my configure later if that's ok?
(config)# flow-export destination inside 172.19.5.14 9996 (config)# flow-export template timeout-rate 1 (config)# flow-export delay flow-create 60 (config)# logging flow-export disable (config)# access-list netflow-export extended permit ip any any (config)# class-map netflow-export-class (config-cmap)#match access-list netflow-export (config)# policy-map netflow-export-policy (config-pmap)# class netflow-export-class (config-pmap-c)# flow-export event-type all destination 172.19.5.1 (config)#service-policy netflow_export_policy global
I just seem to get the wrong amount of data being detected but all the correct source and destination info and protocol info. I just want to see that if 100mb from a PC inside the ASA send it through the ASA's VPN it will see this as 100MB and not 7mb or there abouts.
At this remote site 172.19.5.1 is the ASA and I need to monitor everything going through the ASA on the 172.19.5.x LAN.
The ASA is setup as a VPN to our HQ and all the traffic is pushed down this evern the internet. Someone or something is using all the bandwidth from time to time and I need to find out. I normally use Netflow on Cisco switches and span a port which works great, I've never used an ASA with Netflow before.
I'm monitoring all the inside traffic I believe and pushing the Neflow data to a PC there on 172.19.5.14. It sees the source and destination traffic and protocols, but incorrect volumes of traffic. I just transfers 30mb over the VPN from the HQ to 172.19.5.14 and it said I trasfered 500kb.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...