Setting up the ASA to export NetFlow using Cisco ASDM 6.2

Get started with Cisco ASDM 6.2
To setup the NetFlow export from your ASA which must be running version 8.2.1 or newer, bring up the Cisco ASDM (Adaptive Security Device Manager) and setup the NetFlow exporters:

Then, go to the Firewall configuration and create and ACL matching ANY to ANY:

Edit the ACL above, apply a NetFlow rule action for the event types (e.g. ALL). Up to five collectors can be entered. See below:

As traffic passes through the firewall, NetFlow will start getting exported for the different template types.

Where is the NetFlow from the ASA?
Scrutinizer displays the NetFlow by clicking on the word ‘Graph’ when viewing the NetFlow Templates.  Beware, not all templates can be graphed so, expect an error message. Here is how Scrutinizer v7 displays the templates:

 

Access to the raw messages is also possible on ALL the templates by clicking on “Flow View”.  Flow View displays all the fields kicked out by the template:

 

This report can be very interesting as you see data often left out in some reporting tools.  Read about some limitations when Scrutinizer reports on NetFlow from the ASA at the bottom of this blog.

It’s all in the templates
NetFlow v9 uses templates and this is the big difference between v9 and the most popular version of NetFlow which is v5.  NSEL uses Flexible NetFlow which is based on NetFlow v9.  The three most popular event types that trigger a NetFlow record are.
* flow-create
* flow-denied
* flow-teardown

NOTE: The above ‘no XLATE’ template is releated to NAT translation. IPv6 also comes in as unique templates.

May 29th, 2012 update:  You can view the new Cisco ASA NSEL Report in Scrutinizer v9.5.  Check them out! You can download Scrutinizer here.