how to configure netflow on ASA with CSM

r.spiandorello · ‎10-07-2010

Hi, how can I configure netflow parameters on ASA platforms with CSM ?

From CSM documetats it seems that CSM can manage netflow only for ASA 5580 and if i try to configure netflow in platform/logging I cannot deploy on ASA 5510.

May I use flexConfigs for the following commands:

flow-export destination inside x.y.z.w 1234

flow-export template timeout-rate 1

flow-export enable

thanks

rs

mirober2 · ‎10-07-2010

Hello,

You should be able to configure NetFlow via a FlexConfig, as long as your ASA software version supports it. Double check the configuration guide to see all of the commands you'll need to configure (you need to enable it in a service policy as well):

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html

Hope that helps.

-Mike

Panos Kampanakis · ‎10-07-2010

CSM 4.0 will support ASA Netflow setup as described here http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/pxlog.html

Here is also a guide we have written on exactly what commands will be needed http://supportforums.cisco.com/docs/DOC-6113 If you have CSM earlier than 4.0 you can just put the commands in the Flex Config in CSM as mirober said and then just delploy it to the device.

I hope it helps.

PK

r.spiandorello · ‎10-07-2010

Hi, in CSM 4.0 doc, it's still present the limit to the ASA 5580 platform.

thanks

rs

Panos Kampanakis · ‎10-07-2010

That is a mistake on the guide. I will make sure it gets fixed.

PK

r.spiandorello · ‎05-11-2012

Hi, I've found flow-export supported by CSM 4.2 sp1.

I've removed flex-Config and I've enabled flow-export, with the configuration of netflow server.

After the deploy I cannot found flow-export command in policy-map/class-default.

What else to configure ?

thanks

r.spiandorello · ‎05-14-2012

Hi, it seems CSM 4.2 sp1 still uses "flow-export enable" depraceted command in place of the "flow-export event-type all destination" command in policy-map/class class-default.

"flow-export enable" generates the command in policy-map/class class-default, but CSM removes the new command in the following deploy.

Any experience ?

rs

r.spiandorello · ‎05-14-2012

Following the transcript:

! COMMENT: BULK START

! COMMENT: Continue on error is chosen for this bulk

! COMMENT: Trying URL:

https://10.242.0.200/admin/config

! COMMENT: Bulk request written; reading response...

Line# 2. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): object-group network CASSE-FAST

Received (Mon May 14 07:39:10 CEST 2012):

Line# 3. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): network-object 10.242.3.12 255.255.255.255

Received (Mon May 14 07:39:10 CEST 2012):

Line# 4. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): flow-export enable

Received (Mon May 14 07:39:10 CEST 2012): INFO: 'flow-export enable' command is deprecated. Converting to flow-export actions under MPF.

Line# 5. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): policy-map global_policy

Received (Mon May 14 07:39:10 CEST 2012):

Line# 6. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): no class class-default

Received (Mon May 14 07:39:10 CEST 2012):

Line# 7. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): exit

Received (Mon May 14 07:39:10 CEST 2012):

! COMMENT: BULK END

! COMMENT: Trying URL:

https://10.242.0.200/admin/config

Line# 8. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012):

https://10.242.0.200/admin/config

Received (Mon May 14 07:39:22 CEST 2012): : Written by nwcsm01 at 07:39:10.143 IT Mon May 14 2012

!

ASA Version 8.2(2)

! COMMENT: BULK START

! COMMENT: Continue on error is chosen for this bulk

! COMMENT: Trying URL: https://10.242.0.200/admin/config

! COMMENT: Bulk request written; reading response...

Line# 2. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): object-group network CASSE-FAST

Received (Mon May 14 07:39:10 CEST 2012):

Line# 3. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): network-object 10.242.3.12 255.255.255.255

Received (Mon May 14 07:39:10 CEST 2012):

Line# 4. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): flow-export enable

Received (Mon May 14 07:39:10 CEST 2012): INFO: 'flow-export enable' command is deprecated. Converting to flow-export actions under MPF.

Line# 5. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): policy-map global_policy

Received (Mon May 14 07:39:10 CEST 2012):

Line# 6. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): no class class-default

Received (Mon May 14 07:39:10 CEST 2012):

Line# 7. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): exit

Received (Mon May 14 07:39:10 CEST 2012):

! COMMENT: BULK END

! COMMENT: Trying URL:

https://10.242.0.200/admin/config

Line# 8. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): https://10.242.0.200/admin/config

Received (Mon May 14 07:39:22 CEST 2012): : Written by nwcsm01 at 07:39:10.143 IT Mon May 14 2012

!

ASA Version 8.2(2)

...

kerstin-534 · ‎05-23-2012

Yes please can Cisco get it working with CSM 4.2SP1 - this way to configure it now

is useless.

Can someone provide a FLEXCONFIG ?

thanks

Herbert