Hi,
We are running Cisco Security Manager 4.4 service pack 1 and our ASA's are all running 9.0.2/9.1.1
I've hit a problem with export to netflow from my ASA firewalls configured through CSM.
We configure the netflow export under platform/logging and enable flow export. Looking at the "show flow-export counters" on the ASA very few flows are exported however and no netflow shows up in our netflow analyzer.
Looking at the deployment this is what is deployed (for netflow):
! COMMENT: Bulk request written; reading response...
Line# 2. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export template timeout-rate 1
Received (Fri Jun 07 08:50:05 CEST 2013):
Line# 3. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export destination outside 146.2.217.125 19996
Received (Fri Jun 07 08:50:05 CEST 2013):
Line# 4. (SUCCESS) Sent (Fri Jun 07 08:50:05 CEST 2013): flow-export delay flow-create 60
As I understand it I need to match what traffic to export to netflow which is setup as a service policy rule. I cannot find any option to export to netflow under the service policy rules however (only IPS,CXSC, Connection Settings, QoS, CSC, User statistics and Scansafe).
I configured a flexconfig to append to the configuration and this seems to export the data until the next time a policy is pushed. The configuration changes done by the flexconfig are then removed from the ASA and netflow stops working.
My flexconfig (append) looks like this:
access-list netflow-hosts extended permit ip any any
class-map NetFlow-traffic
match access-list netflow-hosts
policy-map global_policy
class NetFlow-traffic
flow-export event-type all destination X.X.X.X
Have anybody found a way to get netflow export work correctly when configured using CSM?
-Michel
