Blog :: Network Operations :: Security Operations

How to run Cisco ASA ACL Reports: Netflow Security Event Logging

In this blog I’ll show you how to use Cisco ASA NSEL (aka Cisco ASA NetFlow) reporting to monitor your Cisco ASA firewall ACLs. With the addition of our Cisco Advanced Reporting module you can run many useful NetFlow reports — Network Performance Monitoring (Medianet), Performance Routing, Network Based Application Recognition (NBAR) — but today we’re going to focus on Cisco ASA NSEL Access Control List (ACL) reports.

Have you ever asked yourself, why is my Cisco ASA Firewall denying flows? Our NetFlow analyzer provides you with historic trends and the most powerful NetFlow reporting engine on the market to make your life easier.

Let’s start by looking at a Cisco ASA ACL to ACL report to find out which ACLs are being violated the most. In the screenshot below we can see the amount of flows that have matched the ingress and egress ACLs (inbound and outbound).

Now you’re probably asking yourself, what is a Cisco ASA NSEL ingress ACL ID? Let’s digress.

The 12-byte raw ACL ID must be divided into its three constituent parts, as follows:

  • The first four bytes are the ACL Name ID
  • The next four bytes are the ACL Entry ID (ACE)/Object-Group ID
  • The final four bytes are the Extended ACL Entry ID

To see the corresponding access list rules on your Cisco ASA run:

  • asa# show access-list

With our NetFlow analyzer you can filter on access control lists to find all of the individual flows being denied by ACLs. The next report shows our Cisco ASA VPN Users denied flows:

Don’t forget about filtering on Cisco ASA NSEL user names! Having a NetFlow analyzer with advanced NSEL filtering is important to help save you time when troubleshooting Cisco ASA Firewall ACL issues. In the next report we’re filtering on a specific ACL and Username:

Once you’ve drilled into the traffic in question, you can setup Cisco ASA ACL thresholds with notifications by adding an inbound threshold filter. Netflow security event logging and notifications allows your network and security administrators to be proactive and reduce their time to resolution when troubleshooting complex problems or identifying persistent internet threats.

It doesn’t stop here! There is much more insight you can gain from network security event logging such as Cisco ASA Network Address Translation reports. Are you taking full advantage of what Cisco ASA NSEL and advanced NetFlow reporting have to offer? Call us and we would be glad to give you a demo of what a best at NetFlow solution has to offer.