Menu Close

Configuring Netflow on a Cisco ASA

ASA supports netflow exports against some of Netflow collectors, for example ntopng. 

Here I'm describing steps required to configure netflow statistical export using ASA CLI.

Prerequisities and notes

  • tested on ASA 5515-X, ASA OS version 8.6(1)2
  • to see some outputs,  kind of netflow collector software is required. I'm using ntopng downloadable from www.ntop.org

Links

Configuration

To configure netflow export we must apply at least followig commands:

 

1. Configure the flow export

flow-export destination interface-name ipv4-address hostname udp-port

in my case 

flow-export destination vlan255 192.168.255.19 6343

 

2. No we will specify an access-list which will define an interesting traffic which will be exported

access-list NAME ACL_TYPE ACTION PROTOCOL SOURCE WILDCARD DESTINATION WILDCARD 

in my case i'm wishing to export statistics about all flows

access-list ACL-NETFLOW-EXPORT permit ip any any

 

3. and then we define a class map which will test the traffic against above defined ACL

class-map NAME_OF_FLOW_CLASS

in my case

class-map NETFLOW-EXPORT-CLASS

 

4. and set a match condition

match access-list ACL-NAME

in my case 

match access-list  ACL-NETFLOW-EXPORT

alternatively if we suppose to match any traffic, we do not need the ACL and then we may use match any statement

match any

 

5. now we define a policy map to apply flow-export actions to the defined class. Enters policy map configuration mode and define a policy

Note: check the note on step 8 to continue….

policy-map NAME-of-EXPORT-POLICY

in my case

policy-map NETFLOW-EXPORT-POLICY

 

6. then map the netflow-export-class class to the defined netflow-policy policy.

class NAME-OF-EXPORT-CLASS

in my case

class NETFLOW-EXPORT-CLASS

 

7 . and within policy class define  a flow-export action.

flow-export event-type event-type destination flow_export_host1[flow_export_host2]

in my case

flow-export event-type all destination 192.168.255.19

repeating this steps (6-7) we may define several export classes.

 

8. and finally we apply the service policY to a global policy

service-policy FLOW-EXPORT-POLICY global

in my case

service-policy NETFLOW-EXPORT-POLICY global

Note:

Please, make an attention, ASA does not allow to have more as the one global policy, and depends on the configuration some global policy can be already present and exists there. Please check it

kis-asa-5515X# sh run | begin service-policy
service-policy global_policy global
...
...

 

If there is one, applying your new policy as a new global policy you will get follwoing error message: 

ERROR: Policy map global_policy is already configured as a service policy

 

therefore we need to map the class with existing global policy

policy-map global_policy
   class NETFLOW-EXPORT-CLASS
      flow-export event-type all destination 192.168.255.19

 

 

Optionally we may configure some additional tasks

 

9. set up an export time interval, default is 1.min

flow-export template timeout-rate SECONDS

I will keep it on default value.

 

10. or to set up an export time, which will instruct ASA to export short (shorter as defined time interval) and identical flows as a single flow

flow-export delay flow-create SECONDS

in my case 10 second

flow-export delay flow-create 10

 

11. To disable and reenable NetFlow-related syslog messages that have become redundant

logging flow-export-syslogs disable

 

Final configuration

version 1 – no existing global policy

flow-export destination vlan255 192.168.255.19 6343
access-list ACL-NETFLOW-EXPORT permit ip any any

class-map NETFLOW-EXPORT-CLASS
   match access-list  ACL-NETFLOW-EXPORT

policy-map NETFLOW-EXPORT-POLICY
   class NETFLOW-EXPORT-CLASS
      flow-export event-type all destination 192.168.255.19

service-policy NETFLOW-EXPORT-POLICY global
flow-export delay flow-create 15
logging fl​ow-export-syslogs disable

 

version 2 – if there exist a global policy

for example named as the global_policy

flow-export destination vlan255 192.168.255.19 6343
access-list ACL-NETFLOW-EXPORT permit ip any any
!
class-map NETFLOW-EXPORT-CLASS
   match access-list  ACL-NETFLOW-EXPORT
!
policy-map global_policy
   class NETFLOW-EXPORT-CLASS
      flow-export event-type all destination 192.168.255.19
!
! not needed to apply it again
! service-policy NETFLOW-EXPORT-POLICY global
!
flow-export delay flow-create 15
logging fl​ow-export-syslogs disable

 

Verification and tshooting

show flow-export counters

show service-policy global flow ip host [source IP] host [dest IP]

show access-list flow_export_acl

Rate this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.