05-18-2013 11:13 AM - edited 03-11-2019 06:45 PM
Hello
How can i enable Netflow for each Vlan Or interface indvidually in Cisco ASA ? currently i have setup Netflow and only 2 interfaces are shwoing traffic for Netflow which are not even as my physical or Vlan interfaces . (see screen shot )
EscapeASA# sh interface ip brief
Interface IP-Address OK? Method Status Protocol
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES CONFIG up up
Vlan2 92.61.193.131 YES DHCP up up
Vlan5 unassigned YES unset down down
Virtual0 127.0.0.1 YES unset up up
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset down down
Ethernet0/2 unassigned YES unset down down
Ethernet0/3 unassigned YES unset down down
Ethernet0/4 unassigned YES unset down down
Ethernet0/5 unassigned YES unset down down
Ethernet0/6 unassigned YES unset down down
Ethernet0/7 unassigned YES unset up up
~~~~~~~~~~~~~~~~~~~~~~ MIB WALK ~~~~~~~~~~~~~~~~~~~~
.1.3.6.1.2.1.2.2.1.2.1 = String: "Adaptive Security Appliance 'Null0' interface"
.1.3.6.1.2.1.2.2.1.2.2 = String: "Adaptive Security Appliance '0' interface"
.1.3.6.1.2.1.2.2.1.2.3 = String: "Adaptive Security Appliance 'Internal-Data0/0' interface"
.1.3.6.1.2.1.2.2.1.2.4 = String: "Adaptive Security Appliance 'Ethernet0/0' interface"
.1.3.6.1.2.1.2.2.1.2.5 = String: "Adaptive Security Appliance 'Ethernet0/1' interface"
.1.3.6.1.2.1.2.2.1.2.6 = String: "Adaptive Security Appliance 'Ethernet0/2' interface"
.1.3.6.1.2.1.2.2.1.2.7 = String: "Adaptive Security Appliance 'Ethernet0/3' interface"
.1.3.6.1.2.1.2.2.1.2.8 = String: "Adaptive Security Appliance 'Ethernet0/4' interface"
.1.3.6.1.2.1.2.2.1.2.9 = String: "Adaptive Security Appliance 'Ethernet0/5' interface"
.1.3.6.1.2.1.2.2.1.2.10 = String: "Adaptive Security Appliance 'Ethernet0/6' interface"
.1.3.6.1.2.1.2.2.1.2.11 = String: "Adaptive Security Appliance 'Ethernet0/7' interface"
.1.3.6.1.2.1.2.2.1.2.12 = String: "Adaptive Security Appliance 'Internal-Data0/1' interface"
.1.3.6.1.2.1.2.2.1.2.13 = String: "Adaptive Security Appliance '_internal_loopback' interface"
.1.3.6.1.2.1.2.2.1.2.14 = String: "Adaptive Security Appliance 'Virtual254' interface"
.1.3.6.1.2.1.2.2.1.2.15 = String: "Adaptive Security Appliance 'inside' interface"
.1.3.6.1.2.1.2.2.1.2.16 = String: "Adaptive Security Appliance 'outside' interface"
.1.3.6.1.2.1.2.2.1.2.17 = String: "Adaptive Security Appliance 'Vlan5' interface"
Kind Regards
05-21-2013 04:43 PM
We need way more information on this,
Netflow setup
Ip addresses of the servers
etc
05-21-2013 07:45 PM
Thank you for replying the post . Here is the details below
EscapeASA# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname EscapeASA
enable password /yB/dTCJeUBCqR7U encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan5
no nameif
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/Asa821-k8.bin
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service CCTV tcp-udp
port-object eq 9000
object-group service 8080Web tcp-udp
port-object eq 8080
access-list inside_access_in extended permit ip any any
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit ip any any
access-list outside_access_in extended permit icmp any any log disable
access-list outside_access_in extended permit tcp any interface outside object-group RDP
pager lines 24
logging enable
logging timestamp
logging list Usman level debugging
logging monitor emergencies
logging buffered emergencies
logging trap informational
logging history emergencies
logging asdm informational
logging host inside 192.168.1.202
logging host inside 192.168.1.222
logging debug-trace
logging flash-bufferwrap
logging class auth buffered emergencies history emergencies monitor emergencies asdm emergencies
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 101001
no logging message 100000
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.1.80 2055
flow-export destination inside 192.168.1.222 2055
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=EscapeASA
crl configure
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
class-map global-class
description Netflow_Export_Class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
description Netflow_Export_Policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect esmtp
inspect xdmcp
inspect netbios
inspect tftp
inspect http
class global-class
flow-export event-type all destination 192.168.1.222
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6ae2b7c02f4ba651faf19e959c309a0b
05-21-2013 07:52 PM
you can follow this document but create a policy-map for an interface instead of modifying policy-map global_policy that applies to all interfaces...
https://supportforums.cisco.com/docs/DOC-6114
Here's the 8.4 CLI configuration guide:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_nsel.html
05-21-2013 08:43 PM
Thank you i follow the document setup new policy still the same issue .
I checked with wireshark traces . Thank you again for your support is there anything need to included please let me know
https://supportforums.cisco.com/docs/DOC-6114
Here is what my config now looks like matching the post above
access-list global_mpc extended permit ip any any
!
flow-export destination inside 192.168.1.80 2055
flow-export destination inside 192.168.1.222 2055
!
!
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
description Netflow_Export_Policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect esmtp
inspect xdmcp
inspect netbios
inspect tftp
inspect http
class global-class
flow-export event-type all destination 192.168.1.80 192.168.1.222
!
service-policy global_policy global
prompt hostname context
05-21-2013 09:07 PM
can you post the output of show flow-export counters
and show logging flow-export-syslogs
05-21-2013 09:19 PM
EscapeASA# sh flow-export counter
destination: inside 192.168.1.80 2055
Statistics:
packets sent 630
Errors:
block allocation failure 0
invalid interface 0
template send failure 0
destination: inside 192.168.1.222 2055
Statistics:
packets sent 630
Errors:
block allocation failure 0
invalid interface 0
template send failure 0
EscapeASA# show logging flow
EscapeASA# show logging flow-export-syslogs
Syslog ID Type Status
302013 Flow Created Disabled
302015 Flow Created Disabled
302017 Flow Created Disabled
302020 Flow Created Disabled
302014 Flow Deleted Disabled
302016 Flow Deleted Disabled
302018 Flow Deleted Disabled
302021 Flow Deleted Disabled
106015 Flow Denied Disabled
106023 Flow Denied Disabled
313001 Flow Denied Disabled
313008 Flow Denied Disabled
710003 Flow Denied Disabled
106100 Flow Created/Denied Disabled
05-22-2013 10:01 AM
Hello Gold,
Remember that there are only 3 events that will create/generate a record event
flow-create
flow-denied
flow-teardown
Can you add the following command:
flow template timeout-rate 1
Regards
05-22-2013 01:27 PM
I have added the below command .
EscapeASA# sh run | include template
flow-export template timeout-rate 1
EscapeASA#
however i dont see any progress i am not able see flows from all the interfaces and vlans's .
only following are generating as per my first post even after making changes .
https://supportforums.cisco.com/servlet/JiveServlet/download/3941110-15360396/ASA%20NTA.PNG
again thanking your support any further changes need to be done ?
05-22-2013 02:32 PM
Hello Gold,
Okay let's start from the bottom.. I will focus on the explanation this time
How can i enable Netflow for each Vlan Or interface indvidually in Cisco ASA?
You enable this on the ASA via the MPF setup, so if you want just to see record events for the inside traffic only match traffic that goes and starts on that interface ( this with an ACL ).
currently i have setup Netflow and only 2 interfaces are shwoing traffic for Netflow which are not even as my physical or Vlan interfaces .
Well you have only 2 interfaces UP and running (the SVI's 2 and 1) (physical port 1 and 7), So I would say that is accurate.
Now what it does seem weird is the interface name you are seeing on the netflow collector, I mean what is interface Null 0. That just does sound accurate...
What neflow collector software are you using?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: