Cisco has changed its ways! Cisco ASA now supports NetFlow. The new feature in Cisco ASA version 8.2 is called NSEL (NetFlow Security Event Logging) and it allows all ASA models to support NetFlow. Below I have provided the NetFlow configuration of a Cisco ASA.  Check out the latest Cisco NSEL reports.

flow-export destination inside x.x.x.x xxxx(Collector & Port)
access-list flow_export_acl pprod_small_photo0900aecd802856f5ermit ip host x.x.x.x host x.x.x.x

class-map flow_export_class
match access-list flow_export_acl

policy-map flow_export_policy
class flow_export_class


flow-export event-type flow-creation destination
x.x.x.x
(Collector IP)

service-policy flow_export_policy global


To see all event type records with NetFlow
event-type all

If you disable logging for flow export events this will increase performance
logging flow-export syslogs disable

The CLI is great but, configuring the ASA to export NetFlow is easier with Cisco ASDM.

May 29th, 2012 UPDATE:  New Cisco NSEL Reports in Scrutinizer v9.  Check them out.

Jamie Lee

Jamie Lee is the west coast Regional Manager at Plixer. He works with prospects to solve the unique needs of their network and visits existing customers to assist with training. He enjoys developing new partnerships and building long-lasting relationships with his clients. Jamie loves the outdoors and his favorite hobbies include fishing, hiking, and football.

Related

6 comments on “Cisco adds NetFlow to all Cisco ASA models

  1. Milton,

    I’m guessing that this configuration can be combined with our existing QoS settings we use to shape the bandwidth usage? I’d have to take a look at our configurations, and see how this can work, but I think it will be fine.

    Thanks.

    William

  2. Ive configured this up.. but i am seeing the packet in wireshark as missing the template.
    Scrutinizer is seeing the source and destination IP’s but starts, ends and or sizes.
    My guess…Netflow version 9 export

    conversations are showing a packet size of “< 1 b “

  3. Netflow on the ASA is version 9, there are no plans for support of version 5. It should be known that the netflow on the ASA is not like what you will be used to in IOS. It’s not really for seeing top talkers. The reason that netflow exists is to send syslog messages in a binary format instead of in plain text. The only way you can look at bandwidth utilization is to look at the connection tear down messages and look at the total bytes sent field.

  4. Hi Steve, You are right that NetFlow from the ASA is different from what you would get from a router. It DEFINATELY can be used to see top talkers and we are doing it in Scrutinizer v7. There is a screen capture in this blog:
    http://www.plixer.com/blog/netflow/netflow-security-event-logging-with-the-cisco-asa/
    I’ll post a web cast on it soon. Also, what did you mean by this “The reason that netflow exists is to send syslog messages in a binary format instead of in plain text.” ??? can you post a URL so that I can read about this.

Comments are closed.