Netflow on Cisco ASA 5505
Posted on 2009-07-03
I am running 8.2.1 on a couple Cisco ASA 5505's at 2 different sites. The sites are connected via a site to site VPN. I have successfully configured netflow on the ASA at site 1 to report to a local application. I am having difficulty getting the ASA at site 2 to communicate with the app at site 1. On the site 2 ASA, I have run the following commands:
flow-export destination outside 220.127.116.11 2055
flow-export template timeout-rate 5
18.104.22.168 represents the public IP at site 1. The software vendor prefers that the netflow traffic is sent to the public IP rather than over the VPN to site 2's private address (192.168.100.1). I have verified (sh flow-export counters) that packets are being sent from site 2.
I have the following in the asa config at site 1.
access-list outside_in extended permit tcp any any eq 2055
access-list outside_in extended permit udp any any eq 2055
access-group outside_in in interface outside
static (inside,outside) tcp interface 2055 192.168.100.10 2055 netmask 255.255.255.255
static (inside,outside) udp interface 2055 192.168.100.10 2055 netmask 255.255.255.255
when I do a 'sh access-list outside_in' I don't see any matches.
Can anyone see an obvious error with this? It looks ok to me...I even threw in TCP/UDP just to cover the bases. Any help is appreciated.