ASA supports netflow exports against some of Netflow collectors, for example ntopng.
Here I'm describing steps required to configure netflow statistical export using ASA CLI.
Prerequisities and notes
- tested on ASA 5515-X, ASA OS version 8.6(1)2
- to see some outputs, kind of netflow collector software is required. I'm using ntopng downloadable from www.ntop.org
Links
- http://www.draware.dk/fileadmin/SolarWinds/Guide/How_to_configure_Netflow_on_a_Cisco_ASA.pdf
- Cisco ASA NetFlow Implementation Guide
Configuration
To configure netflow export we must apply at least followig commands:
1. Configure the flow export
flow-export interface-name ipv4-address | hostname udp-port
in my case
flow-export destination vlan255 192.168.255.19 6343
2. No we will specify an access-list which will define an interesting traffic which will be exported
access-list NAME ACL_TYPE ACTION PROTOCOL SOURCE WILDCARD DESTINATION WILDCARD
in my case i'm wishing to export statistics about all flows
access-list ACL-NETFLOW-EXPORT permit ip any any
3. and then we define a class map which will test the traffic against above defined ACL
class-map NAME_OF_FLOW_CLASS
in my case
class-map NETFLOW-EXPORT-CLASS
4. and set a match condition
match access-list ACL-NAME
in my case
match access-list ACL-NETFLOW-EXPORT
alternatively if we suppose to match any traffic, we do not need the ACL and then we may use match any statement
match any
5. now we define a policy map to apply flow-export actions to the defined class. Enters policy map configuration mode and define a policy
Note: check the note on step 8 to continue….
policy-map NAME-of-EXPORT-POLICY
in my case
policy-map NETFLOW-EXPORT-POLICY
6. then map the netflow-export-class class to the defined netflow-policy policy.
class NAME-OF-EXPORT-CLASS
in my case
class NETFLOW-EXPORT-CLASS
7 . and within policy class define a flow-export action.
flow-export event-type event-type destination flow_export_host1[flow_export_host2]
in my case
flow-export event-type all destination 192.168.255.19
repeating this steps (6-7) we may define several export classes.
8. and finally we apply the service policY to a global policy
service-policy FLOW-EXPORT-POLICY global
in my case
service-policy NETFLOW-EXPORT-POLICY global
Note:
Please, make an attention, ASA does not allow to have more as the one global policy, and depends on the configuration some global policy can be already present and exists there. Please check it
kis-asa-5515X# sh run | begin service-policy service-policy global_policy global ... ...
If there is one, applying your new policy as a new global policy you will get follwoing error message:
ERROR: Policy map global_policy is already configured as a service policy
therefore we need to map the class with existing global policy
policy-map global_policy class NETFLOW-EXPORT-CLASS flow-export event-type all destination 192.168.255.19
Optionally we may configure some additional tasks
9. set up an export time interval, default is 1.min
flow-export template timeout-rate SECONDS
I will keep it on default value.
10. or to set up an export time, which will instruct ASA to export short (shorter as defined time interval) and identical flows as a single flow
flow-export delay flow-create SECONDS
in my case 10 second
flow-export delay flow-create 10
11. To disable and reenable NetFlow-related syslog messages that have become redundant
logging flow-export-syslogs disable
Final configuration
version 1 – no existing global policy
flow-export destination vlan255 192.168.255.19 6343 access-list ACL-NETFLOW-EXPORT permit ip any any class-map NETFLOW-EXPORT-CLASS match access-list ACL-NETFLOW-EXPORT policy-map NETFLOW-EXPORT-POLICY class NETFLOW-EXPORT-CLASS flow-export event-type all destination 192.168.255.19 service-policy NETFLOW-EXPORT-POLICY global flow-export delay flow-create 15 logging flow-export-syslogs disable
version 2 – if there exist a global policy
for example named as the global_policy
flow-export destination vlan255 192.168.255.19 6343 access-list ACL-NETFLOW-EXPORT permit ip any any ! class-map NETFLOW-EXPORT-CLASS match access-list ACL-NETFLOW-EXPORT ! policy-map global_policy class NETFLOW-EXPORT-CLASS flow-export event-type all destination 192.168.255.19 ! ! not needed to apply it again ! service-policy NETFLOW-EXPORT-POLICY global ! flow-export delay flow-create 15 logging flow-export-syslogs disable
Verification and tshooting
show flow-export counters
show service-policy global flow ip host [source IP] host [dest IP]
show access-list flow_export_acl