Configuring Netflow on ASA's

| Comments

Netflow is data that the ASA will send to a netflow collector which will then give details regarding bandwith used, top talkers, number of connections, etc. Unfortunately there aren’t any show commands on the ASA to determine this. In other words no data is stored on the ASA regarding netflow. Instead it is sent real time to the collector.

Netflow is supported on ASA version 8.1 and later. Note that v8.1 was for 5580’s only. Version 8.2.x is available to any ASA. It uses netflow version 9.

ASA Config

Define the collector(s)

Port 9996 is the default port.
flow-export destination INSIDE 172.16.200.101 9996

Indicate how often (in minutes) to send the template to the collector
flow-export template timeout-rate 30

Delay transmission of flow creation events for short lived flows in seconds. This is optional. If omitted from the configuration there will not be any delay.
flow-export delay flow-create 3

Define the Traffic to be Collected

To send netflow info for all traffic

policy-map global_policy
class class-default
flow-export event-type all destination 172.16.200.101

To send netflow for specific traffic
Create an ACL for desired traffic
access-list ACL-FLOW-EXPORT extended permit ip 172.16.200.0 255.255.255.0 any

Create a class-map
class-map CLASS-NETFLOW
match access-list ACL-FLOW-EXPORT

Add the class to whatever global service policy is on the firewall The IP must match one of the defined netflow collectors from earlier.
policy-map global_policy
class CLASS-NETFLOW
flow-export event-type flow-create destination 172.16.200.101

Show Command

The only show command is just to verify it is sending netflows
show flow-export counters

Sample Netflow Output

Sample output from a linux netflow collector using nfcap and nfdump:

[linuxbox]~$ nfdump -T -r 2010/01/17/nfcapd.201001171035 -a  -A srcip,srcport,dstip,dstport -o extended -c 20
nfdump filter:
any
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Flags Tos  Packets    Bytes      pps      bps    Bpp Flows
2010-01-17 10:34:39.616   179.955     0     172.16.100.1:41212 ->   172.16.200.101:9996  .A....   0        5      884        0       39    176     5
2010-01-17 10:35:34.285     0.252     0   172.16.200.102:57274 ->   174.129.41.112:80    .AP.SF   0        7     1562       27    49587    223     1
2010-01-17 10:35:34.365     0.256     0   174.129.41.112:80    ->   172.16.200.102:57274 .AP.SF  32        6     1103       23    34468    183     1
2010-01-17 10:31:09.471   300.156     0     172.16.100.1:0     ->        224.0.0.5:0     .A.... 192       31     2108        0       56     68     1
2010-01-17 10:36:34.352     0.320     0   172.16.200.102:57275 ->   174.129.41.112:80    .AP.SF   0        7     1562       21    39049    223     1
2010-01-17 10:36:34.436     0.320     0   174.129.41.112:80    ->   172.16.200.102:57275 .AP.SF   0        6     1103       18    27574    183     1
2010-01-17 10:36:36.912     0.020     0     66.102.7.100:80    ->   172.16.200.102:57267 .A...F   0        2      104       99    41599     52     1
2010-01-17 10:36:36.912     0.000     0   172.16.200.102:57267 ->     66.102.7.100:80    .A...F   0        2      104        0        0     52     1
2010-01-17 10:36:47.088     6.698     0     66.102.7.100:80    ->   172.16.200.102:57269 .A...F   0        2      104        0      124     52     2
2010-01-17 10:36:47.092     6.676     0   172.16.200.102:57269 ->     66.102.7.100:80    .A...F   0        2      104        0      124     52     1
2010-01-17 10:37:34.543     0.308     0   172.16.200.102:57279 ->   174.129.41.112:80    .AP.SF   0        7     1562       22    40571    223     1
2010-01-17 10:37:34.623     0.332     0   174.129.41.112:80    ->   172.16.200.102:57279 .AP.SF   0        6     1103       18    26578    183     1
2010-01-17 10:37:34.531     0.000     0   172.16.200.102:62395 ->     68.105.28.11:53    .A....   0        1       76        0        0     76     1
2010-01-17 10:37:34.539     0.000     0     68.105.28.11:53    ->   172.16.200.102:62395 .A....   0        1      275        0        0    275     1
2010-01-17 10:38:35.529     0.316     0   172.16.200.102:57281 ->   174.129.41.112:80    .AP.SF   0        7     1562       22    39544    223     1
Summary: total flows: 20, total bytes: 13316, total packets: 92, avg bps: 238, avg pps: 0, avg bpp: 144
Time window: 2010-01-17 10:31:09 - 2010-01-17 10:39:36
Total flows processed: 27, Records skipped: 0, Bytes read: 1416
Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 156069.4

Posted by Jack asa, cisco, netflow, scripts

Comments