Configure Netflow on ASA

What’s up tekmedikans!

Here’s a quick and dirty guide on how to configure NetFlow on an ASA. I will be working on a 5510 running version 8.47

1. Create an ACL to catch traffic. (Ususally any,any or you can specify specific hosts/subnets)
2. Configure Flow-Export Settings
3. Create Class-map to match ACL
4. Add Class to Existing Policy-Map or Create a New One.
5. If you created a new Policy-Map you will need to add it to the Global-Policy
6. Verify Flows are flowin….

Create ACL

This ACL will match any source going to any destination.

Tekvpn(config)# access-list NetFlow extended permit ip any any

Configure Flow-Export Settings

Tekvpn(config)# flow-export destination inside 10.25.9.9 2055
Tekvpn(config)# flow-export template timeout-rate 1

Create Class Map

Tekvpn(config)# class-map NetFlow
Tekvpn(config-cmap)# match access-list NetFlow

Add Class-map to Policy-map

At this point you can add this class-map to the existing Policy-map on your ASA or you can create a new one. For simplicity, I would suggest adding it to the existing Policy-map. If you create a new policy-map, you will not be able to add it to the global policy without deleting the current global-policy.

A) Here is how you would create a new policy-map:

Tekvpn(config-cmap)# policy-map NetFlowPolicy
Tekvpn(config-pmap)# class NetFlow
Tekvpn(config-pmap-c)# flow-export event-type all destination 10.25.9.9

B) Add Class-Map to Global Policy

Tekvpn(config)# service-policy NetFlowPolicy global

Here is how you would add the class-map to the existing policy map:

Tekvpn(config)# policy-map global_policy
Tekvpn(config-pmap)# class NetFlow
Tekvpn(config-pmap-c)# flow-export event-type all destination 10.25.9.9

You should begin to see flows exporting to your collector.

Verify Flows

Tekvpn(config-pmap)# show flow-export counters

destination: inside 10.25.9.9 2055
Statistics:
packets sent 913
Errors:
block allocation failure 0
invalid interface 0
template send failure 0
no route to collector 0
failed to get lock on block 0

Leave a Reply

Your email address will not be published. Required fields are marked *