Solved

Netflow on Cisco ASA 5505

Posted on 2009-07-03
3
4,004 Views
Last Modified: 2013-11-16
I am running 8.2.1 on a couple Cisco ASA 5505's at 2 different sites. The sites are connected via a site to site VPN.  I have successfully configured netflow on the ASA at site 1 to report to a local application. I am having difficulty getting the ASA at site 2 to communicate with the app at site 1. On the site 2 ASA, I have run the following commands:


flow-export destination outside 12.12.12.12 2055
flow-export template timeout-rate 5
flow-export enable

12.12.12.12 represents the public IP at site 1. The software vendor prefers that the netflow traffic is sent to the public IP rather than over the VPN to site 2's private address (192.168.100.1). I have verified (sh flow-export counters) that packets are being sent from site 2.

I have the following in the asa config at site 1.

access-list outside_in extended permit tcp any any eq 2055
access-list outside_in extended permit udp any any eq 2055
access-group outside_in in interface outside

static (inside,outside) tcp interface 2055 192.168.100.10 2055 netmask 255.255.255.255
static (inside,outside) udp interface 2055 192.168.100.10 2055 netmask 255.255.255.255

when I do a 'sh access-list outside_in' I don't see any matches.


Can anyone see an obvious error with this? It looks ok to me...I even threw in TCP/UDP just to cover the bases. Any help is appreciated.

0
Comment
Question by:FIFBA
3 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24773620
I don't see anything wrong with the code you have.  

Is site1's ASA reporting any dropped packets in the Syslog?  

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24774601
>access-list outside_in extended permit udp any any eq 2055
ASA likes the keyword "interface" best...

access-list outside_in extended permit udp any interface outside eq 2055

Else I would highly suggest just going through the vpn  tunnel and telling the vendor to deal with it.

0
 
LVL 1

Expert Comment

by:jakemichaelwilson
ID: 25194328
Scrutinizer is free and it support NetFlow from the Cisco ASA Firewall:
http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php

Here is how to configure it:
http://www.plixer.com/blog/netflow/netflow-security-event-logging-with-the-cisco-asa/ 

Mike
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Restrict RDP Remote Access through SonicWall 3 96
Cost effective dual wan w/ qos 5 29
Configuring routing and ACL for Cisco 891 router 15 47
nexus filter logs 3 28
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now