Netflow on Cisco ASA 5505

I am running 8.2.1 on a couple Cisco ASA 5505's at 2 different sites. The sites are connected via a site to site VPN.  I have successfully configured netflow on the ASA at site 1 to report to a local application. I am having difficulty getting the ASA at site 2 to communicate with the app at site 1. On the site 2 ASA, I have run the following commands:


flow-export destination outside 12.12.12.12 2055
flow-export template timeout-rate 5
flow-export enable

12.12.12.12 represents the public IP at site 1. The software vendor prefers that the netflow traffic is sent to the public IP rather than over the VPN to site 2's private address (192.168.100.1). I have verified (sh flow-export counters) that packets are being sent from site 2.

I have the following in the asa config at site 1.

access-list outside_in extended permit tcp any any eq 2055
access-list outside_in extended permit udp any any eq 2055
access-group outside_in in interface outside

static (inside,outside) tcp interface 2055 192.168.100.10 2055 netmask 255.255.255.255
static (inside,outside) udp interface 2055 192.168.100.10 2055 netmask 255.255.255.255

when I do a 'sh access-list outside_in' I don't see any matches.


Can anyone see an obvious error with this? It looks ok to me...I even threw in TCP/UDP just to cover the bases. Any help is appreciated.

FIFBAAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
I don't see anything wrong with the code you have.  

Is site1's ASA reporting any dropped packets in the Syslog?  

0
lrmooreCommented:
>access-list outside_in extended permit udp any any eq 2055
ASA likes the keyword "interface" best...

access-list outside_in extended permit udp any interface outside eq 2055

Else I would highly suggest just going through the vpn  tunnel and telling the vendor to deal with it.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jakemichaelwilsonCommented:
Scrutinizer is free and it support NetFlow from the Cisco ASA Firewall:
http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php

Here is how to configure it:
http://www.plixer.com/blog/netflow/netflow-security-event-logging-with-the-cisco-asa/ 

Mike
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.