10-16-2012 06:26 AM - edited 03-11-2019 05:09 PM
Hi,
Running ASA 8.2.(5) with ASDM 6.4(5).
When I try to enable netflow on my <default inspection traffic> policy which is global I get a message saying "only inspect rule actions can be specified for the default inspection traffic". As Netflow can only be applied as a global service policy, I have to use netflow on a global policy, but how do I use my traffic inspection policy then?
Create multiple service policies I apply to each interface or?
According to https://supportforums.cisco.com/docs/DOC-6114 it looks as I can have both at the same time or in the same Global policy ?
Regards
Robert
Solved! Go to Solution.
10-16-2012 07:00 AM
Yes, you can't edit the existing "inspection_default" class within the policy map.
You can add a new "class-map" within the global policy map for the Netflow configuration.
On ASDM, when you are on the "Configuration > Firewall > Service Policy Rules" page, click on Add --> Insert --> choose Global, then click Next --> then click on "Source and Destination IP Address (uses ACL)" then click Next --> Source and Destination both "Any", click Next --> Go to Netflow tab and configure it accordingly.
10-16-2012 06:29 AM
Just configure a new class-map, with ACL permit ip any any, and apply that class map to the global policy-map.
10-16-2012 06:46 AM
hmm I seem I can´t create a new class-map with ASDM? I have no option to do that.
Looking at:
https://supportforums.cisco.com/docs/DOC-6113
It says:
Most users will have a global inspection policy so we can just leverage that. It should be noted that we can't use class-default here because we won't generate NetFlow data for anything that is subject to inspection.
Is that not what my original message basicly is saying from ASDM?
Robert
10-16-2012 07:00 AM
Yes, you can't edit the existing "inspection_default" class within the policy map.
You can add a new "class-map" within the global policy map for the Netflow configuration.
On ASDM, when you are on the "Configuration > Firewall > Service Policy Rules" page, click on Add --> Insert --> choose Global, then click Next --> then click on "Source and Destination IP Address (uses ACL)" then click Next --> Source and Destination both "Any", click Next --> Go to Netflow tab and configure it accordingly.
10-16-2012 07:18 AM
Super that was it
Did not see the option to Insert !!!!
Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide