Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4865
Views
0
Helpful
5
Replies

Cisco ASA: exporting netflow over IPsec vpn

psmidcnss
Level 1
Level 1

‎11-29-2012 11:23 PM - edited ‎03-11-2019 05:30 PM

Good morning,

we have a Cisco ASA 5510 8.4, this device is reachable through a lan to lan IPsec vpn.

We are able to activate the netflow export (we see flow export counters incrementing), but the flow is not passing through the vpn. Our netflow collector is on the other side of the IPsec tunnel so we define it linked to the internet interface.

My questions are:

- Is the export possible through the vpn? I read in a Solarwinds forum that it should not be possible.

- What ip address is choosen as source interface by ASA? Is there a way to force a source interface?

Best regards

Marco Canova

Labels:
0 Helpful
5 Replies 5

Jack Leung
Level 1
Level 1

‎11-30-2012 09:54 AM

The problem with ipsec is that it encrypts traffic and netflow can not be encrypted (later "fixed" by Cisco by implementing flexible netflow for IOS).  I don't recall if this was fully implemented for ASA however.  What I've done is pipe syslogs instead into my netflow analyzer and use that (much more data and info).

The source interface is going to be whatever interface is facing the netflow collector (you define this when you set up the server).

flow-export destination inside IPAddress Port

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to Jack Leung

‎11-30-2012 10:11 AM

In addition to Jack ! 

Netflow traffic can be exported through VPN tunnels in ASA at least  seen in version 8.2.5 / or 8.4.4 as I have seen it . You need to make sure your Netflow collector IP address is part if your interesting traffic of your IPsec tunnel policy.  And as Jack indicated  your flow-export statement should indicate your trusted interface " inside - nameif  " follow by the actual IP address of your netflow collector and port number .

Regards

Jorge Rodriguez
0 Helpful

psmidcnss
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎12-05-2012 11:19 PM

Thank you both Jorge and Jack for youyr feedback.

Jorge: our netflow collector is included in the encryption domain and we started to declare it as inside (even if it's not true), but we got no packets on the other side of the tunnel.

Jack: I don't understand what you did. Did you write netflow informations into the syslog and then you exported the syslog to the netflow collector?

At the moment we used the threat-detection feature in order to see rough informations.

Thank you

mc

0 Helpful

rustamovea
Level 1
Level 1
In response to psmidcnss

‎12-06-2012 02:52 AM

We had the same issue on the ASA 8.3(2). We use ManageEngine Netflow Analyzer 9.6 to collect the netflow traffic.

When I raised  a ticket with ManageEngine they told me that netflow doesn't work via the IPsec VPN.

0 Helpful

psmidcnss
Level 1
Level 1
In response to rustamovea

‎12-06-2012 07:42 AM

I fear you're right ...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card