Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
877
Views
0
Helpful
4
Replies

Netflow on ASA

Srinivasan Nagarajan
Level 1
Level 1

‎09-18-2017 12:12 AM - edited ‎02-21-2020 06:18 AM

Hello Team,

 

 Customer want to monitor the specific traffic in Internet and we've configured the Netflow in Internet router for those specific IP's.

 

Our Netflow server is configured in DMZ and firewall rule was allowed for port 9996 and 2055 UDP . Firewall is allowing the traffic but no logs are seen on the Netflow. Please advise whether Netflow should be configured on the ASA to allow Netflow to collect/capture traffic .

 

Below is the topology for reference. Please advise.

 

           Netflow Server (Destination) in DMZ---ASA---Internet Router (Source) ------ISP

Labels:
0 Helpful
4 Replies 4

Flavio Miranda
VIP
VIP

‎09-18-2017 06:27 AM

Hello,

 Please, provide ASA show running-config, packe tracer output simulating the flow.

Make sure to rip off sensity information from show running-config.

0 Helpful

Srinivasan Nagarajan
Level 1
Level 1
In response to Flavio Miranda

‎09-18-2017 06:42 PM

Hi, Below is the config of Internet Routers and ASA your reference..

 

Internet Router Config
**********************

ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 172.22.5.17 9996
ip flow-export destination 172.22.64.35 9996

--------------------

interface GigabitEthernet0/0
description [ Internet connection to ISP]
ip address 116.212.XX.XX 255.255.255.252
ip access-group ACL-Internet in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in max-reassemblies 64
ip verify unicast source reachable-via rx allow-default 101
load-interval 30
duplex full
speed 1000
no mop enabled

-------------------

Internet_Router#sh ip flow export
Flow export v5 is enabled for main cache
Export source and destination details :
VRF ID : Default
Source(1) 116.212.XX.XX (GigabitEthernet0/0)
Source(2) 116.212.XX.XX (GigabitEthernet0/0)
Destination(1) 172.22.5.17 (9996)
Destination(2) 172.22.64.35 (9996)
Version 5 flow records
2016002805 flows exported in 67200602 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
3 export packets were dropped due to no fib
62 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures

 

=======================================

 

 

ASA Config
**********

Firewall/act/pri# sh run | i Netflow
object network Internet-Link-Netflow
object network Netflow-172.22.5.17
object-group service UDP_Netflow
access-list ACL-Internet extended permit object-group NETFLOW object Internet-Link-Netflow object Netflow-172.22.5.17 log
nat (Internet,Horizon) source static Internet-Link-Netflow Internet-Link-Netflow destination static IP-202.58.XX.XX Netflow-172.22.5.17


------------------------


Firewall/act/pri# sh run object id Internet-Link-Netflow
object network Internet-Link-Netflow
host 116.212.XX.XX


Firewall/act/pri# sh run object id Netflow-172.22.5.17
object network Netflow-172.22.5.17
host 172.22.5.17


Firewall/act/pri# sh object-group id UDP_Netflow
object-group service UDP_Netflow
service-object udp destination eq 2055
service-object udp destination eq 9996


----------------------------------

 

Firewall/act/pri# packet-tracer input Internet udp 116.212.XX.XX 1234 202.58.XX.XX 9996

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Internet,Horizon) source static Internet-Link-Netflow Internet-Link-Netflow destination static IP-202.58.XX.XX Netflow-172.22.5.17
Additional Information:
NAT divert to egress interface Horizon
Untranslate 202.58.XX.XX/9996 to 172.22.5.17/9996

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-Internet in interface Internet
access-list ACL-Internet extended permit object-group NETFLOW object Internet-Link-Netflow object Netflow-172.22.5.17 log
object-group service NETFLOW
service-object object NETFLOW_1
service-object object NETFLOW_2
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Internet,Horizon) source static Internet-Link-Netflow Internet-Link-Netflow destination static IP-202.58.225.6 Netflow-172.22.5.17
Additional Information:
Static translate 116.212.XX.XX/1234 to 116.212.XX.XX/1234

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SourceFire-Classify
match access-list Redirect-To-SourceFire
policy-map global_policy
class SourceFire-Classify
sfr fail-open monitor-only
service-policy global_policy global
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Internet,Horizon) source static Internet-Link-Netflow Internet-Link-Netflow destination static IP-202.58.XX.XX Netflow-172.22.5.17
Additional Information:

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 376486643, packet dispatched to next module

Result:
input-interface: Internet
input-status: up
input-line-status: up
output-interface: Horizon
output-status: up
output-line-status: up
Action: allow

 

0 Helpful

Spooster IT Services
Level 7
Level 7

‎09-18-2017 12:17 PM

Hi  Srinivasan Nagarajan,

 

No you do not need to configure Netflow on ASA to allow traffic.

1) Do you have any ACL on DMZ  interface?

2) Are you able to ping router from Netflow server?

3) Do you have any PAT configured from DMZ to Outside? If yes, then you need to exempt the traffic from Netflow server to router. 

Spooster IT Services Team
0 Helpful

Srinivasan Nagarajan
Level 1
Level 1
In response to Spooster IT Services

‎09-18-2017 07:19 PM

Hi, Thanks for your reply. Please find the answers below.

 

1. ACL is configured and allowed for this traffic

2. We can able to ping the router management IP from Netflow server

3. No PAT is configured from DMZ to outside. PAT overload is configured from Inside to outside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card