I am trying to clean up the access-lists in an ASA firewall. Due to the amount of traffic that goes though it, I have been having trouble getting a list of traffic that is actually travelling though the ASA.
I have been looking at the new Netflow feature of the ASA and it looks like this would be a big help.
Does anybody have any experience with any Netflow Analyzers with the ASA? A perfect solution would allow me to export a summary of all non-established traffic.
Thanks. Those look interesting but I don't thing that they are exactly what I need. Since I am planning on replacing the firewall, I wanted to look at actual usage though the firewall, analyse this information to decide what needs to go though and create new access-lists based on this.
Correct me if I'm wrong, but I am under the impression that those products analyse rules to see which are used. For example, if I have the rule:
permit tcp any any eq www, I don't need to see that this rule is used, I would like to see that only server1 is being accessed on port 80 so that I can recreate the rule as:
What I do to clean up my rules are clear the ACL counters, let the firewall run as normal for two weeks or so, then remove the ACLs with zero hit counts. Simple but effective. For Netflow, you'll have to be careful, not all apps support the ASA netflow format.
Thanks for all the great answers. It looks like the above will work for me. We also use another (unnamed) Netflow product but a) I don't know if it will support NSL and b) I am not happy with the reporting options.
"Since I am planning on replacing the firewall, I wanted to look at actual usage though the firewall, analyse this information to decide what needs to go though and create new access-lists based on this."
Now that I understand what you're trying to do, here is my suggestion:
- span the port on the firewall with a cheap sniffer. A linux with a big diskspace will do with tcpdump
- capture the traffics into a file but make sure you rotate the file, like this:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...