https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127371#M394897 <HTML><HEAD></HEAD><BODY><P>Thank you both Jorge and Jack for youyr feedback.</P><P>Jorge: our netflow collector is included in the encryption domain and we started to declare it as inside (even if it's not true), but we got no packets on the other side of the tunnel.</P><P>Jack: I don't understand what you did. Did you write netflow informations into the syslog and then you exported the syslog to the netflow collector?</P><P></P><P>At the moment we used the threat-detection feature in order to see rough informations.</P><P></P><P>Thank you</P><P>mc</P></BODY></HTML> Thu, 06 Dec 2012 07:19:08 GMT psmidcnss 2012-12-06T07:19:08Z https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127368#M394893 <P>Good morning,</P><P>we have a Cisco ASA 5510 8.4, this device is reachable through a lan to lan IPsec vpn. </P><P>We are able to activate the netflow export (we see flow export counters incrementing), but the flow is not passing through the vpn. Our netflow collector is on the other side of the IPsec tunnel so we define it linked to the internet interface.</P><P></P><P>My questions are: </P><P></P><P>- Is the export possible through the vpn? I read in a Solarwinds forum that it should not be possible.</P><P>- What ip address is choosen as source interface by ASA? Is there a way to force a source interface?</P><P></P><P>Best regards</P><P>Marco Canova</P> Tue, 12 Mar 2019 00:30:31 GMT https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127368#M394893 psmidcnss 2019-03-12T00:30:31Z https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127369#M394895 <HTML><HEAD></HEAD><BODY><P>The problem with ipsec is that it encrypts traffic and netflow can not be encrypted (later "fixed" by Cisco by implementing flexible netflow for IOS).&nbsp; I don't recall if this was fully implemented for ASA however.&nbsp; What I've done is pipe syslogs instead into my netflow analyzer and use that (much more data and info).</P><P></P><P>The source interface is going to be whatever interface is facing the netflow collector (you define this when you set up the server).</P><P></P><P><STRONG style=": ; color: #4700b8; font-family: Arial, sans-serif; ">flow-export destination inside</STRONG><CODE><SPAN style="font-family: Arial, sans-serif;"> IPAddress Port</SPAN></CODE><SPAN style="font-family: Arial, sans-serif;"><BR /></SPAN></P></BODY></HTML> Fri, 30 Nov 2012 17:54:57 GMT https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127369#M394895 Jack Leung 2012-11-30T17:54:57Z https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127370#M394896 <HTML><HEAD></HEAD><BODY><P>In addition to Jack !&nbsp; </P><P></P><P>Netflow traffic can be exported through VPN tunnels in ASA at least&nbsp; seen in version 8.2.5 / or 8.4.4 as I have seen it . You need to make sure your Netflow collector IP address is part if your interesting traffic of your IPsec tunnel policy.&nbsp; And as Jack indicated&nbsp; your flow-export statement should indicate your trusted interface " inside - nameif&nbsp; " follow by the actual IP address of your netflow collector and port number .</P><P></P><P></P><P>Regards</P></BODY></HTML> Fri, 30 Nov 2012 18:11:13 GMT https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127370#M394896 JORGE RODRIGUEZ 2012-11-30T18:11:13Z https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127371#M394897 <HTML><HEAD></HEAD><BODY><P>Thank you both Jorge and Jack for youyr feedback.</P><P>Jorge: our netflow collector is included in the encryption domain and we started to declare it as inside (even if it's not true), but we got no packets on the other side of the tunnel.</P><P>Jack: I don't understand what you did. Did you write netflow informations into the syslog and then you exported the syslog to the netflow collector?</P><P></P><P>At the moment we used the threat-detection feature in order to see rough informations.</P><P></P><P>Thank you</P><P>mc</P></BODY></HTML> Thu, 06 Dec 2012 07:19:08 GMT https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127371#M394897 psmidcnss 2012-12-06T07:19:08Z https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127372#M394898 <HTML><HEAD></HEAD><BODY><P>We had the same issue on the ASA 8.3(2). We use ManageEngine Netflow Analyzer 9.6 to collect the netflow traffic.</P><P>When I raised&nbsp; a ticket with ManageEngine they told me that netflow doesn't work via the IPsec VPN.</P></BODY></HTML> Thu, 06 Dec 2012 10:52:31 GMT https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127372#M394898 rustamovea 2012-12-06T10:52:31Z https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127373#M394899 <HTML><HEAD></HEAD><BODY><P>I fear you're right ...</P></BODY></HTML> Thu, 06 Dec 2012 15:42:27 GMT https://community.cisco.com/t5/network-security/cisco-asa-exporting-netflow-over-ipsec-vpn/m-p/2127373#M394899 psmidcnss 2012-12-06T15:42:27Z