10-16-2012 06:26 AM - edited 03-11-2019 05:09 PM
Hi,
Running ASA 8.2.(5) with ASDM 6.4(5).
When I try to enable netflow on my <default inspection traffic> policy which is global I get a message saying "only inspect rule actions can be specified for the default inspection traffic". As Netflow can only be applied as a global service policy, I have to use netflow on a global policy, but how do I use my traffic inspection policy then?
Create multiple service policies I apply to each interface or?
According to https://supportforums.cisco.com/docs/DOC-6114 it looks as I can have both at the same time or in the same Global policy ?
Regards
Robert
Solved! Go to Solution.
10-16-2012 07:00 AM
Yes, you can't edit the existing "inspection_default" class within the policy map.
You can add a new "class-map" within the global policy map for the Netflow configuration.
On ASDM, when you are on the "Configuration > Firewall > Service Policy Rules" page, click on Add --> Insert --> choose Global, then click Next --> then click on "Source and Destination IP Address (uses ACL)" then click Next --> Source and Destination both "Any", click Next --> Go to Netflow tab and configure it accordingly.
10-16-2012 06:29 AM
Just configure a new class-map, with ACL permit ip any any, and apply that class map to the global policy-map.
10-16-2012 06:46 AM
hmm I seem I can´t create a new class-map with ASDM? I have no option to do that.
Looking at:
https://supportforums.cisco.com/docs/DOC-6113
It says:
Most users will have a global inspection policy so we can just leverage that. It should be noted that we can't use class-default here because we won't generate NetFlow data for anything that is subject to inspection.
Is that not what my original message basicly is saying from ASDM?
Robert
10-16-2012 07:00 AM
Yes, you can't edit the existing "inspection_default" class within the policy map.
You can add a new "class-map" within the global policy map for the Netflow configuration.
On ASDM, when you are on the "Configuration > Firewall > Service Policy Rules" page, click on Add --> Insert --> choose Global, then click Next --> then click on "Source and Destination IP Address (uses ACL)" then click Next --> Source and Destination both "Any", click Next --> Go to Netflow tab and configure it accordingly.
10-16-2012 07:18 AM
Super that was it
Did not see the option to Insert !!!!
Robert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: