10-07-2010 07:44 AM - edited 02-21-2020 04:06 AM
Hi, how can I configure netflow parameters on ASA platforms with CSM ?
From CSM documetats it seems that CSM can manage netflow only for ASA 5580 and if i try to configure netflow in platform/logging I cannot deploy on ASA 5510.
May I use flexConfigs for the following commands:
flow-export destination inside x.y.z.w 1234
flow-export template timeout-rate 1
flow-export enable
thanks
rs
10-07-2010 12:05 PM
Hello,
You should be able to configure NetFlow via a FlexConfig, as long as your ASA software version supports it. Double check the configuration guide to see all of the commands you'll need to configure (you need to enable it in a service policy as well):
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html
Hope that helps.
-Mike
10-07-2010 12:38 PM
CSM 4.0 will support ASA Netflow setup as described here http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/pxlog.html
Here is also a guide we have written on exactly what commands will be needed http://supportforums.cisco.com/docs/DOC-6113 If you have CSM earlier than 4.0 you can just put the commands in the Flex Config in CSM as mirober said and then just delploy it to the device.
I hope it helps.
PK
10-07-2010 12:55 PM
Hi, in CSM 4.0 doc, it's still present the limit to the ASA 5580 platform.
thanks
rs
10-07-2010 01:36 PM
That is a mistake on the guide. I will make sure it gets fixed.
PK
05-11-2012 12:58 PM
Hi, I've found flow-export supported by CSM 4.2 sp1.
I've removed flex-Config and I've enabled flow-export, with the configuration of netflow server.
After the deploy I cannot found flow-export command in policy-map/class-default.
What else to configure ?
thanks
05-14-2012 01:43 AM
Hi, it seems CSM 4.2 sp1 still uses "flow-export enable" depraceted command in place of the "flow-export event-type all destination" command in policy-map/class class-default.
"flow-export enable" generates the command in policy-map/class class-default, but CSM removes the new command in the following deploy.
Any experience ?
rs
05-14-2012 03:20 AM
Following the transcript:
! COMMENT: BULK START
! COMMENT: Continue on error is chosen for this bulk
! COMMENT: Trying URL:
https://10.242.0.200/admin/config
! COMMENT: Bulk request written; reading response...
Line# 2. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): object-group network CASSE-FAST
Received (Mon May 14 07:39:10 CEST 2012):
Line# 3. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): network-object 10.242.3.12 255.255.255.255
Received (Mon May 14 07:39:10 CEST 2012):
Line# 4. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): flow-export enable
Received (Mon May 14 07:39:10 CEST 2012): INFO: 'flow-export enable' command is deprecated. Converting to flow-export actions under MPF.
Line# 5. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): policy-map global_policy
Received (Mon May 14 07:39:10 CEST 2012):
Line# 6. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): no class class-default
Received (Mon May 14 07:39:10 CEST 2012):
Line# 7. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): exit
Received (Mon May 14 07:39:10 CEST 2012):
! COMMENT: BULK END
! COMMENT: Trying URL:
https://10.242.0.200/admin/config
Line# 8. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012):
https://10.242.0.200/admin/config
Received (Mon May 14 07:39:22 CEST 2012): : Written by nwcsm01 at 07:39:10.143 IT Mon May 14 2012
!
ASA Version 8.2(2)
! COMMENT: BULK START
! COMMENT: Continue on error is chosen for this bulk
! COMMENT: Trying URL: https://10.242.0.200/admin/config
! COMMENT: Bulk request written; reading response...
Line# 2. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): object-group network CASSE-FAST
Received (Mon May 14 07:39:10 CEST 2012):
Line# 3. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): network-object 10.242.3.12 255.255.255.255
Received (Mon May 14 07:39:10 CEST 2012):
Line# 4. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): flow-export enable
Received (Mon May 14 07:39:10 CEST 2012): INFO: 'flow-export enable' command is deprecated. Converting to flow-export actions under MPF.
Line# 5. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): policy-map global_policy
Received (Mon May 14 07:39:10 CEST 2012):
Line# 6. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): no class class-default
Received (Mon May 14 07:39:10 CEST 2012):
Line# 7. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): exit
Received (Mon May 14 07:39:10 CEST 2012):
! COMMENT: BULK END
! COMMENT: Trying URL:
https://10.242.0.200/admin/config
Line# 8. (SUCCESS) Sent (Mon May 14 07:39:10 CEST 2012): https://10.242.0.200/admin/config
Received (Mon May 14 07:39:22 CEST 2012): : Written by nwcsm01 at 07:39:10.143 IT Mon May 14 2012
!
ASA Version 8.2(2)
...
05-23-2012 05:45 AM
Yes please can Cisco get it working with CSM 4.2SP1 - this way to configure it now
is useless.
Can someone provide a FLEXCONFIG ?
thanks
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide