Get started with Cisco ASDM 6.2
To setup the NetFlow export from your ASA which must be running version 8.2.1 or newer, bring up the Cisco ASDM (Adaptive Security Device Manager) and setup the NetFlow exporters:

Then, go to the Firewall configuration and create and ACL matching ANY to ANY:

Edit the ACL above, apply a NetFlow rule action for the event types (e.g. ALL). Up to five collectors can be entered. See below:

As traffic passes through the firewall, NetFlow will start getting exported for the different template types.

Where is the NetFlow from the ASA?
Scrutinizer displays the NetFlow by clicking on the word ‘Graph’ when viewing the NetFlow Templates.  Beware, not all templates can be graphed so, expect an error message. Here is how Scrutinizer v7 displays the templates:



Access to the raw messages is also possible on ALL the templates by clicking on “Flow View”.  Flow View displays all the fields kicked out by the template:



This report can be very interesting as you see data often left out in some reporting tools.  Read about some limitations when Scrutinizer reports on NetFlow from the ASA at the bottom of this blog.

It’s all in the templates
NetFlow v9 uses templates and this is the big difference between v9 and the most popular version of NetFlow which is v5.  NSEL uses Flexible NetFlow which is based on NetFlow v9.  The three most popular event types that trigger a NetFlow record are.
* flow-create
* flow-denied
* flow-teardown

NOTE: The above ‘no XLATE’ template is releated to NAT translation. IPv6 also comes in as unique templates.

May 29th, 2012 update:  You can view the new Cisco ASA NSEL Report in Scrutinizer v9.5.  Check them out! You can download Scrutinizer here.

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Leave a Reply