Blog

Configuring Cisco ASA for NetFlow Export via CLI

Over the last few weeks, I have taken a number of support calls from customers who were looking for some assistance configuring their Cisco ASA. So, I figured that I would take this opportunity to revisit some older blog subjects.

In my opinion, the easiest way to get NSEL exporting from these security appliances is through the use of the ASDM interface. This simple, GUI-based firewall management tool allows you to quickly configure the Cisco ASA without having to use the cumbersome command-line interface.

And that brings me to the subject of this blog.

Configuring the Cisco ASA using the CLI is really not that much different that configuring NetFlow on any other router or switch. You define your timeout value, flow export destination, and which interface is going to send the export. The difference is that you need to set up a service policy, and access rules that allow the export. As well as define which events are going to get exported and where.

So let’s get started.

First we need to set up an ACL to catch all IP traffic – to specify the traffic you are interested in

(config)#access-list flow_export_acl extended permit ip any any

If you want to limit what gets logged, you can set ACL to log only events between certain hosts. And optionally send those events to one collector appliance and log all other events to a second collector.

(config)#  access-list flow_export_acl permit ip host 210.165.200.2 host 210.165.201.3

Next we set up the destination server ip and template rate

(config)#  flow-export destination [interface name] [IP address] [port #]

(config)#  flow-export delay flow-create 15
(config)#  flow-export template timeout-rate 1

** If you are running FW version 8.4.5, you can now set an active flow timeout. This creates a update event that sends a delta bit count for active conversations.

(config)#  flow-export active refresh-interval 60

Now we want to build the class-map for the flow that matches the ACL

(config)# class-map flow_export_class
(config-cmap)# match access-list flow_export_acl

OK, now it’s time to either add our flow_export_class to the default global policy-map, or build a new export policy-map

Add to the default global policy-map       ** note – your global policy-map may have a different name (ie. global-policy or global_policy)

(config)# policy-map global
(config-pmap)# class flow_export_class

And specify the event types that we will export and to where

(config-pmap-c)# flow-export event-type all destination [IP address]

Or, create a new export policy

(config)# policy-map flow_export_policy
(config-pmap)# class flow_export_class

And specify the event types that we will export and to where

(config-pmap-c)# flow-export event-type all destination [IP address]

We’re almost finished

Last thing that we need to do if we created a flow_export_policy, is apply the policy-map to whatever global policy we have. Otherwise, skip this step and we will use the current global service-policy

(config)# service-policy flow_export_policy global

You can get information about what the ASA is doing in terms of the flow output by using the following commands:

show flow-export counters

show service-policy global flow ip host [source IP] host [dest IP]

show access-list flow_export_acl

Now that wasn’t too bad, was it?

Obviously you’re going to need some sort of NetFlow collector appliance. I would recommend using our NetFlow and sFlow Analysis tool. We have been the industry leader when it comes to NetFlow reporting from security events exported from the Cisco ASA’s.