Hello

I have three ASA5505, two firewalls connected to central VPN hub.

the central inside network is 192.168.0.0/24

Network A is 192.168.1.0/24

Network B is 192.168.2.0/24

In one of this site (central), I have server with NetFlow collector.

I will collect the traffic information from all ASA at the my one server.

Now, in all of those firewall I use access lists like this:

(site A ASA)

access-list VPNACL extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list VPNACL extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

(Central site ASA)

access-list VPNACL_TO_A extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list VPNACL_TO_A extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

And VPN working normally.

But I try to use flow-export and has a problem.

Can I configure source IP address (or source interface - inside) for NetFlow packet, originate from ASA? (for example from site A)

If it is not possible I think, I can rewrite my access lists and permit udp traffic from outside interface to server IP like this:

access-list VPNACL permit udp host <Outside IP site A> host <Inside IP the Server> eq 9996

But I do not understand, what port I must be use in access list on Central site ASA.

access-list VPNACL_A permit udp host <Inside IP the Server> host <Outside IP site A>  eq 9996 ? or, in this place, must be source port in the udp netflow packet?

Can I not specify port in thish ACL?

Thanks!

------------------------------------------------------
Helping seriously ill children, all together. All information about this, is posted on my blog