https://community.cisco.com/t5/network-security/flow-export-from-asa5505-software-is-8-4-to-netflow-collector/m-p/2162453#M359616 <HTML><HEAD></HEAD><BODY><P>Thanks!</P><P>This is work OK.</P><P>------------------------------------------------------ <BR />Helping seriously ill children, all together. All information about this, is posted on my blog</P></BODY></HTML> Sun, 24 Mar 2013 07:16:31 GMT Oleg Volkov 2013-03-24T07:16:31Z https://community.cisco.com/t5/network-security/flow-export-from-asa5505-software-is-8-4-to-netflow-collector/m-p/2162451#M359613 <P><SPAN style="font-size: 10pt;">Hello</SPAN></P><P>I have three ASA5505, two firewalls connected to central VPN hub.</P><P></P><P>the central inside network is <STRONG>192.168.0.0/24</STRONG></P><P></P><P>Network A is <STRONG>192.168.1.0/24</STRONG></P><P></P><P>Network B is <STRONG>192.168.2.0/24</STRONG></P><P></P><P>In one of this site (central), I have server with NetFlow collector.</P><P>I will collect the traffic information from all ASA at the my one server.</P><P>Now, in all of those firewall I use access lists like this:</P><P></P><P>(site A ASA)</P><P><STRONG>access-list VPNACL extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0<BR /></STRONG></P><P><STRONG>access-list VPNACL extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0<SPAN style="font-size: 10pt;"> </SPAN></STRONG></P><P></P><P>(Central site ASA)</P><P><STRONG>access-list VPNACL_TO_A extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0<BR /></STRONG></P><P><STRONG>access-list VPNACL_TO_A extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0</STRONG></P><P></P><P>And VPN working normally.</P><P>But I try to use flow-export and has a problem.</P><P><STRONG>Can I configure source IP address (or source interface - inside) for NetFlow packet, originate from ASA? (for example from site A)</STRONG></P><P></P><P>If it is not possible I think, I can rewrite my access lists and permit udp traffic from outside interface to server IP like this:</P><P></P><P><STRONG>access-list VPNACL permit udp host &lt;Outside IP site A&gt; host &lt;Inside IP the Server&gt; eq 9996</STRONG></P><P></P><P>But I do not understand, what port I must be use in access list on Central site ASA.<SPAN style="font-size: 10pt;"> </SPAN></P><P></P><P><STRONG>access-list VPNACL_A permit udp host &lt;Inside IP the Server&gt; host &lt;Outside IP site A&gt;&nbsp; eq 9996</STRONG> ? or, in this place, must be source port in the udp netflow packet?</P><P>Can I not specify port in thish ACL?</P><P></P><P>Thanks!</P><P></P><P></P><P></P><P>------------------------------------------------------ <BR />Helping seriously ill children, all together. All information about this, is posted on my blog&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 01:18:30 GMT https://community.cisco.com/t5/network-security/flow-export-from-asa5505-software-is-8-4-to-netflow-collector/m-p/2162451#M359613 Oleg Volkov 2019-03-12T01:18:30Z https://community.cisco.com/t5/network-security/flow-export-from-asa5505-software-is-8-4-to-netflow-collector/m-p/2162452#M359615 <HTML><HEAD></HEAD><BODY><P>Yes, you can source it from the inside interface using the flow-export command:</P><P></P><P><STRONG>flow-export destination inside <NETFLOW-COLLECTOR-IP></NETFLOW-COLLECTOR-IP></STRONG></P><P></P><P>Hope that helps.</P></BODY></HTML> Sat, 23 Mar 2013 22:04:08 GMT https://community.cisco.com/t5/network-security/flow-export-from-asa5505-software-is-8-4-to-netflow-collector/m-p/2162452#M359615 Jennifer Halim 2013-03-23T22:04:08Z https://community.cisco.com/t5/network-security/flow-export-from-asa5505-software-is-8-4-to-netflow-collector/m-p/2162453#M359616 <HTML><HEAD></HEAD><BODY><P>Thanks!</P><P>This is work OK.</P><P>------------------------------------------------------ <BR />Helping seriously ill children, all together. All information about this, is posted on my blog</P></BODY></HTML> Sun, 24 Mar 2013 07:16:31 GMT https://community.cisco.com/t5/network-security/flow-export-from-asa5505-software-is-8-4-to-netflow-collector/m-p/2162453#M359616 Oleg Volkov 2013-03-24T07:16:31Z