How to Configure Netflow on a Cisco ASA

2
Draware A/S Teglgården 46 DK-3460 Birkerød Danmark CVR-nr.: DK-18663295 Tel: (+45) 45 76 20 21 Fax: (+45) 45 76 41 21 Web: www.draware.dk E-mail: [email protected] www.draware.dk How to configure Netflow on a Cisco ASA: ASA NetFlow export is dependent on the version of ASA software running. ASA version 8.2 software supports NetFlow export across all ASA models, but some models may function on a lower software level. The following fields must be included in the ASA configuration to export flow data to the Orion NetFlow Traffic Analyzer module. Notes: This sample configuration has been verified on an ASA 5505 running ASA software version 8.2(1)12. Configured firewall rules should be tested when ASA configuration changes are made. Some ASA systems will not export without the flow-export enable command also included. There is a bug in ASA versions prior to 8.2.1.12 that causes flow information to be reported from incorrect interfaces. In all ASA exporters, flow information is exported without regard to flow direction. As a result, duplicate flows appear to come from both endpoints of a conversation, and it can be difficult to determine which endpoint is receiving and which endpoint is transmitting in a selected conversation. The following commands must be included in your global service policy for ASA NetFlow export to function. 1. (config)# flow-export destination <interface name> <Orion server IP address> 2055 Notes: o Replace <interface name> with the interface name that will be used to send exports to Orion NTA. This interface must be on the same side of the ASA as the Orion server. o Replace Orion server IP address with the IP address of your Orion NTA server. 2. (config)# flow-export template timeout-rate <#_minutes> Note: This command sets the interval, in minutes, at which template information is sent to your NTA server. The default is 1 minutes, and this will probably work in most cases. 3. (config)# flow-export delay flow-create <#_seconds> Note: This command sets the flow-create delay to allow short-lived, identical flows to be exported as a single flow if they occur during the specified delay period. Setting this delay to 60 seconds should work for most environments. 4. (config)# logging flow-export syslogs disable Note: This setting is optional, but it is recommended, as it eliminates the impact of flow-exported syslogs that may cause performance issues. This setting is not supported by all ASA software versions 5. (config)# access-list netflow-export extended permit ip any any Note: This command defines an access list called netflow-export to specify the traffic of interest. The provided syntax includes all traffic. 6. (config)# class-map netflow-export-class Note: This command enters class map configuration mode and defines a class called netflow- export-class. 7. (config-cmap)# match access-list netflow-export Note: This command maps the netflow-export access list to the defined netflow-export-class class. 8. (config)# policy-map netflow-policy Note: This command enters policy map configuration mode and defines a policy called netflow- policy. 9. (config-pmap)# class netflow-export-class Note: This command maps the netflow-export-class class to the defined netflow-policy policy.

Transcript of How to Configure Netflow on a Cisco ASA

Page 1: How to Configure Netflow on a Cisco ASA

Draware A/S – Teglgården 46 – DK-3460 Birkerød – Danmark – CVR-nr.: DK-18663295 Tel: (+45) 45 76 20 21 – Fax: (+45) 45 76 41 21 – Web: www.draware.dk – E-mail: [email protected]

www.draware.dk

How to configure Netflow on a Cisco ASA: ASA NetFlow export is dependent on the version of ASA software running. ASA version 8.2 software supports NetFlow export across all ASA models, but some models may function on a lower software level. The following fields must be included in the ASA configuration to export flow data to the Orion NetFlow Traffic Analyzer module. Notes:

This sample configuration has been verified on an ASA 5505 running ASA software version 8.2(1)12. Configured firewall rules should be tested when ASA configuration changes are made. Some ASA systems will not export without the flow-export enable command also included. There is a bug in ASA versions prior to 8.2.1.12 that causes flow information to be reported from

incorrect interfaces. In all ASA exporters, flow information is exported without regard to flow direction. As a result,

duplicate flows appear to come from both endpoints of a conversation, and it can be difficult to determine which endpoint is receiving and which endpoint is transmitting in a selected conversation.

The following commands must be included in your global service policy for ASA NetFlow export to function. 1. (config)# flow-export destination <interface name> <Orion server IP address> 2055

Notes: o Replace <interface name> with the interface name that will be used to send exports to

Orion NTA. This interface must be on the same side of the ASA as the Orion server. o Replace Orion server IP address with the IP address of your Orion NTA server.

2. (config)# flow-export template timeout-rate <#_minutes> Note: This command sets the interval, in minutes, at which template information is sent to your NTA server. The default is 1 minutes, and this will probably work in most cases.

3. (config)# flow-export delay flow-create <#_seconds> Note: This command sets the flow-create delay to allow short-lived, identical flows to be exported as a single flow if they occur during the specified delay period. Setting this delay to 60 seconds should work for most environments.

4. (config)# logging flow-export syslogs disable Note: This setting is optional, but it is recommended, as it eliminates the impact of flow-exported syslogs that may cause performance issues. This setting is not supported by all ASA software versions

5. (config)# access-list netflow-export extended permit ip any any Note: This command defines an access list called netflow-export to specify the traffic of interest. The provided syntax includes all traffic.

6. (config)# class-map netflow-export-class Note: This command enters class map configuration mode and defines a class called netflow-export-class.

7. (config-cmap)# match access-list netflow-export Note: This command maps the netflow-export access list to the defined netflow-export-class class.

8. (config)# policy-map netflow-policy Note: This command enters policy map configuration mode and defines a policy called netflow-policy.

9. (config-pmap)# class netflow-export-class Note: This command maps the netflow-export-class class to the defined netflow-policy policy.

Page 2: How to Configure Netflow on a Cisco ASA

Draware A/S – Teglgården 46 – DK-3460 Birkerød – Danmark – CVR-nr.: DK-18663295 Tel: (+45) 45 76 20 21 – Fax: (+45) 45 76 41 21 – Web: www.draware.dk – E-mail: [email protected]

www.draware.dk

10. (config-pmap-c)# flow-export event-type all destination <Orion server IP address> Notes:

o This command defines both the NSEL event types (all) to be exported and the export target (your Orion NTA server).

o Replace Orion server IP address with the IP address of your Orion NTA server. Steps 8-10 create a new policy map for NetFlow, but you can also add the created class map (netflow-export-class) to an existing or current policy. If this is a new policy, you will need to apply the policy map to your ASA either at an interface policy level or at the global level. If you are applying the netflow-policy policy at the global level, use the following command:

11. (config)# service-policy netflow-policy global Note: This command maps the netflow-policy policy to the existing global policy.

This article applies to: Orion NetFlow Traffic Analyzer 3.5 SP2 and higher


How To - Configure Cisco ASA 5505 - Home - Polycom ...community.polycom.com/polycom/attachments/polycom...How To: Configure a Cisco ASA 5505 for Video Conferencing There are five main

How To - Configure Cisco ASA 5505 - Home - Polycom ...community.polycom.com/polycom/attachments/polycom...How To: Configure a Cisco ASA 5505 for Video Conferencing There are five main

Configuring NetFlow · CHAPTER 44-1 Software Configuration Guide—Release 12.2(37)SG OL-12524-01 44 Configuring NetFlow This chapter describes how to configure NetFlow Stat istics

Configuring NetFlow · CHAPTER 44-1 Software Configuration Guide—Release 12.2(37)SG OL-12524-01 44 Configuring NetFlow This chapter describes how to configure NetFlow Stat istics

1 Netflow 6/12/07. 2 Overview Why use netflow? What is a flow? Deploying Netflow Performance Impact.

1 Netflow 6/12/07. 2 Overview Why use netflow? What is a flow? Deploying Netflow Performance Impact.

netflow (1)

netflow (1)

Configure ASA as the SSL Gateway for AnyConnect …...This document describes how to configure an€Adaptive Security Appliance (ASA) as the Secure Sockets Layer (SSL) gateway for

Configure ASA as the SSL Gateway for AnyConnect …...This document describes how to configure an€Adaptive Security Appliance (ASA) as the Secure Sockets Layer (SSL) gateway for

Configure ASA VPN Posture with CSD, DAP and AnyConnect 4

Configure ASA VPN Posture with CSD, DAP and AnyConnect 4

Cisco ASA and NetFlow - LiveAction · PDF fileNetFlow is a Cisco traffic accounting technology built into the software and hardware of many Cisco switches and routers. NetFlow tracks

Cisco ASA and NetFlow - LiveAction · PDF fileNetFlow is a Cisco traffic accounting technology built into the software and hardware of many Cisco switches and routers. NetFlow tracks

ISE 2.0: ASA CLI TACACS+ Authentication and …...This document describes how to configure TACACS+ Authentication and Command Authorization on Cisco Adaptive Security Appliance (ASA)

ISE 2.0: ASA CLI TACACS+ Authentication and …...This document describes how to configure TACACS+ Authentication and Command Authorization on Cisco Adaptive Security Appliance (ASA)

VPN Using Cisco ASA · PDF fileVPN Using Cisco ASA 5505 Technology Design Guide ... Cisco ASA-based Remote Access VPN in the Remote Access VPN Design Guide. Procedure 1 Configure IPsec

VPN Using Cisco ASA · PDF fileVPN Using Cisco ASA 5505 Technology Design Guide ... Cisco ASA-based Remote Access VPN in the Remote Access VPN Design Guide. Procedure 1 Configure IPsec

AdventNet ManageEngine NetFlow Anayzer :: Help Docuementationmanageengine.pt/products/netflow/NetFlowAnalyzer_UserGuide.pdf · AdventNet ManageEngine NetFlow Anayzer :: Help Docuementation

AdventNet ManageEngine NetFlow Anayzer :: Help Docuementationmanageengine.pt/products/netflow/NetFlowAnalyzer_UserGuide.pdf · AdventNet ManageEngine NetFlow Anayzer :: Help Docuementation

Flexible NetFlow IPFIX Export Format · How to Configure Flexible NetFlow IPFIX Export Format Configuring the Flow Exporter Performthisrequiredtasktoconfiguretheflowexporter. ...

Flexible NetFlow IPFIX Export Format · How to Configure Flexible NetFlow IPFIX Export Format Configuring the Flow Exporter Performthisrequiredtasktoconfiguretheflowexporter. ...

SOLARWINDS ENGINEER’S TOOLSETcdn.swcdn.net/creative/v9.7/pdf/datasheets/SW_ET_datasheet.pdf · NetFlow Configurator Enables you to remotely configure NetFlow v5 via SNMP on supported

SOLARWINDS ENGINEER’S TOOLSETcdn.swcdn.net/creative/v9.7/pdf/datasheets/SW_ET_datasheet.pdf · NetFlow Configurator Enables you to remotely configure NetFlow v5 via SNMP on supported

CCNA Security Chapter 10 - Configure ASA Basic Settings ... · PDF fileConfigure DHCP, address translation, ... (config)# ip route 0.0.0.0 0.0.0.0 10.2.2.2 b. Configure a static route

CCNA Security Chapter 10 - Configure ASA Basic Settings ... · PDF fileConfigure DHCP, address translation, ... (config)# ip route 0.0.0.0 0.0.0.0 10.2.2.2 b. Configure a static route

Configuring NetFlow and NDE - CiscoChapter 56 Configuring NetFlow and NDE Understanding How NetFlow and NDE Work • NetFlow and NDE on the PFC, page 56-2 NetFlow and NDE Overview

Configuring NetFlow and NDE - CiscoChapter 56 Configuring NetFlow and NDE Understanding How NetFlow and NDE Work • NetFlow and NDE on the PFC, page 56-2 NetFlow and NDE Overview

NetFlow monitoring

NetFlow monitoring

NetFlow Integrator Standard · NetFlow Integrator Standard Edition Administrators Guide NetFlow Logic Confidential 3 Overview How NetFlow Integrator Works NetFlow Integrator (NFI)

NetFlow Integrator Standard · NetFlow Integrator Standard Edition Administrators Guide NetFlow Logic Confidential 3 Overview How NetFlow Integrator Works NetFlow Integrator (NFI)

Netflow Performance

Netflow Performance

Configure ASA as a Local CA Server and AnyConnect … and enable the Local CA Server on ASA Step 2. Create and add ... Ensure that an AnyConnect client package has ... Configure ASA

Configure ASA as a Local CA Server and AnyConnect … and enable the Local CA Server on ASA Step 2. Create and add ... Ensure that an AnyConnect client package has ... Configure ASA

CCNA Security Chapter 10 - Configure ASA Basic Settings and … · 2016. 7. 10. · CCNA Security Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM Topology ... The

CCNA Security Chapter 10 - Configure ASA Basic Settings and … · 2016. 7. 10. · CCNA Security Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM Topology ... The

How To - Configure Cisco ASA 5505 - Home - Polycomcommunity.polycom.com/polycom/attachments/polycom/VideoEndpoin… · How To: Configure a Cisco ASA 5505 for Video ... 5 for each

How To - Configure Cisco ASA 5505 - Home - Polycomcommunity.polycom.com/polycom/attachments/polycom/VideoEndpoin… · How To: Configure a Cisco ASA 5505 for Video ... 5 for each