Netflow is data that the ASA will send to a netflow collector which will then give details regarding bandwith used, top talkers, number of connections, etc. Unfortunately there aren’t any show commands on the ASA to determine this. In other words no data is stored on the ASA regarding netflow. Instead it is sent real time to the collector.
Netflow is supported on ASA version 8.1 and later. Note that v8.1 was for 5580’s only. Version 8.2.x is available to any ASA. It uses netflow version 9.
Define the collector(s)
Port 9996 is the default port. flow-export destination INSIDE 172.16.200.101 9996
Indicate how often (in minutes) to send the template to the collector flow-export template timeout-rate 30
Delay transmission of flow creation events for short lived flows in seconds.
This is optional. If omitted from the configuration there will not be any delay. flow-export delay flow-create 3
Define the Traffic to be Collected
To send netflow info for all traffic
policy-map global_policy class class-default flow-export event-type all destination 172.16.200.101
To send netflow for specific traffic
Create an ACL for desired traffic access-list ACL-FLOW-EXPORT extended permit ip 172.16.200.0 255.255.255.0 any
Create a class-map class-map CLASS-NETFLOW match access-list ACL-FLOW-EXPORT
Add the class to whatever global service policy is on the firewall
The IP must match one of the defined netflow collectors from earlier. policy-map global_policy class CLASS-NETFLOW flow-export event-type flow-create destination 172.16.200.101
The only show command is just to verify it is sending netflows show flow-export counters
Sample Netflow Output
Sample output from a linux netflow collector using nfcap and nfdump: