Solved

Netflow on Cisco ASA 5505

Posted on 2009-07-03
3
4,012 Views
Last Modified: 2013-11-16
I am running 8.2.1 on a couple Cisco ASA 5505's at 2 different sites. The sites are connected via a site to site VPN.  I have successfully configured netflow on the ASA at site 1 to report to a local application. I am having difficulty getting the ASA at site 2 to communicate with the app at site 1. On the site 2 ASA, I have run the following commands:


flow-export destination outside 12.12.12.12 2055
flow-export template timeout-rate 5
flow-export enable

12.12.12.12 represents the public IP at site 1. The software vendor prefers that the netflow traffic is sent to the public IP rather than over the VPN to site 2's private address (192.168.100.1). I have verified (sh flow-export counters) that packets are being sent from site 2.

I have the following in the asa config at site 1.

access-list outside_in extended permit tcp any any eq 2055
access-list outside_in extended permit udp any any eq 2055
access-group outside_in in interface outside

static (inside,outside) tcp interface 2055 192.168.100.10 2055 netmask 255.255.255.255
static (inside,outside) udp interface 2055 192.168.100.10 2055 netmask 255.255.255.255

when I do a 'sh access-list outside_in' I don't see any matches.


Can anyone see an obvious error with this? It looks ok to me...I even threw in TCP/UDP just to cover the bases. Any help is appreciated.

0
Comment
Question by:FIFBA
3 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24773620
I don't see anything wrong with the code you have.  

Is site1's ASA reporting any dropped packets in the Syslog?  

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24774601
>access-list outside_in extended permit udp any any eq 2055
ASA likes the keyword "interface" best...

access-list outside_in extended permit udp any interface outside eq 2055

Else I would highly suggest just going through the vpn  tunnel and telling the vendor to deal with it.

0
 
LVL 1

Expert Comment

by:jakemichaelwilson
ID: 25194328
Scrutinizer is free and it support NetFlow from the Cisco ASA Firewall:
http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php

Here is how to configure it:
http://www.plixer.com/blog/netflow/netflow-security-event-logging-with-the-cisco-asa/ 

Mike
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How VPC help preventing STP Loops 4 100
ASA 5510 upstream unable to exceed 20 mbps 23 44
Some help with Network Design 4 44
VIRTUAL NETWORKING 3 62
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question