cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3895
Views
0
Helpful
5
Replies
Highlighted
Beginner

Cisco ASA: exporting netflow over IPsec vpn

Good morning,

we have a Cisco ASA 5510 8.4, this device is reachable through a lan to lan IPsec vpn.

We are able to activate the netflow export (we see flow export counters incrementing), but the flow is not passing through the vpn. Our netflow collector is on the other side of the IPsec tunnel so we define it linked to the internet interface.

My questions are:

- Is the export possible through the vpn? I read in a Solarwinds forum that it should not be possible.

- What ip address is choosen as source interface by ASA? Is there a way to force a source interface?

Best regards

Marco Canova

5 REPLIES 5
Highlighted
Beginner

The problem with ipsec is that it encrypts traffic and netflow can not be encrypted (later "fixed" by Cisco by implementing flexible netflow for IOS).  I don't recall if this was fully implemented for ASA however.  What I've done is pipe syslogs instead into my netflow analyzer and use that (much more data and info).

The source interface is going to be whatever interface is facing the netflow collector (you define this when you set up the server).

flow-export destination inside IPAddress Port

Highlighted

In addition to Jack ! 

Netflow traffic can be exported through VPN tunnels in ASA at least  seen in version 8.2.5 / or 8.4.4 as I have seen it . You need to make sure your Netflow collector IP address is part if your interesting traffic of your IPsec tunnel policy.  And as Jack indicated  your flow-export statement should indicate your trusted interface " inside - nameif  " follow by the actual IP address of your netflow collector and port number .

Regards

Jorge Rodriguez
Highlighted

Thank you both Jorge and Jack for youyr feedback.

Jorge: our netflow collector is included in the encryption domain and we started to declare it as inside (even if it's not true), but we got no packets on the other side of the tunnel.

Jack: I don't understand what you did. Did you write netflow informations into the syslog and then you exported the syslog to the netflow collector?

At the moment we used the threat-detection feature in order to see rough informations.

Thank you

mc

Highlighted

We had the same issue on the ASA 8.3(2). We use ManageEngine Netflow Analyzer 9.6 to collect the netflow traffic.

When I raised  a ticket with ManageEngine they told me that netflow doesn't work via the IPsec VPN.

Highlighted

I fear you're right ...

Content for Community-Ad