Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3257
Views
0
Helpful
4
Replies

ASA 8.2(5) enable Netflow

Go to solution
robert
Level 1
Level 1

‎10-16-2012 06:26 AM - edited ‎03-11-2019 05:09 PM

Hi,

Running ASA 8.2.(5) with ASDM 6.4(5).

When I try to enable netflow on my <default inspection traffic> policy which is global I get a message saying "only inspect rule actions can be specified for the default inspection traffic".  As Netflow can only be applied as a global service policy, I have to use netflow on a global policy, but how do I use my traffic inspection policy then?

Create multiple service policies I apply to each interface or?

According to https://supportforums.cisco.com/docs/DOC-6114 it looks as I can have both at the same time or in the same Global policy ?

Regards

Robert

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to robert

‎10-16-2012 07:00 AM

Yes, you can't edit the existing "inspection_default" class within the policy map.

You can add a new "class-map" within the global policy map for the Netflow configuration.

On ASDM, when you are on the "Configuration > Firewall > Service Policy Rules" page, click on Add --> Insert --> choose Global, then click Next --> then click on "Source and Destination IP Address (uses ACL)" then click Next --> Source and Destination both "Any", click Next --> Go to Netflow tab and configure it accordingly.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-16-2012 06:29 AM

Just configure a new class-map, with ACL permit ip any any, and apply that class map to the global policy-map.

0 Helpful

Go to solution
robert
Level 1
Level 1
In response to Jennifer Halim

‎10-16-2012 06:46 AM

hmm I seem I can´t create a new class-map with ASDM? I have no option to do that.

Looking at:

https://supportforums.cisco.com/docs/DOC-6113

It says:

Most users will have a global inspection policy so we can just leverage  that. It should be noted that we can't use class-default here because we  won't generate NetFlow data for anything that is subject to inspection.

Is that not what my original message basicly is saying from ASDM?

Robert

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to robert

‎10-16-2012 07:00 AM

Yes, you can't edit the existing "inspection_default" class within the policy map.

You can add a new "class-map" within the global policy map for the Netflow configuration.

On ASDM, when you are on the "Configuration > Firewall > Service Policy Rules" page, click on Add --> Insert --> choose Global, then click Next --> then click on "Source and Destination IP Address (uses ACL)" then click Next --> Source and Destination both "Any", click Next --> Go to Netflow tab and configure it accordingly.

0 Helpful

Go to solution
robert
Level 1
Level 1
In response to Jennifer Halim

‎10-16-2012 07:18 AM

Super that was it

Did not see the option to Insert !!!!

Robert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card