Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Netflow Traffic Analyzer (NTA) > Configure Cisco ASA devices for use with Orion NTA

Configure Cisco ASA devices for use with Orion NTA

Table of contents
Created by Michael Almadova, last modified by Erin Stenzel on Jun 29, 2016

Views: 85 Votes: 2 Revisions: 7

Overview

ASA NetFlow export is dependent on the version of ASA software running. ASA version 8.2 software supports NetFlow export across all ASA models, but some models may function on a lower software level. The following fields must be included in the ASA configuration to export flow data to the Orion NetFlow Traffic Analyzer module.
Notes:

  • This sample configuration has been verified on an ASA 5505 running ASA software version 8.2(1)12.
  • Configured firewall rules should be tested when ASA configuration changes are made.
  • Some ASA systems do not export without the flow-export enable command.
  • There is a bug in ASA versions prior to 8.2.1.12 that causes flow information to be reported from incorrect interfaces.
  • In all ASA exporters, flow information is exported without regard to flow direction. As a result, duplicate flows appear to come from both endpoints of a conversation, and it can be difficult to determine which endpoint is receiving and which endpoint is transmitting in a selected conversation.

For more information about ASA NetFlow, click the link below: 

Understanding Cisco ASA Netflow 

Environment

NTA version 3.5 SP2 to 4.1.1

Steps

The following commands must be included in your global service policy for ASA NetFlow export to function:

  1. (config)# flow-export destination <interface name> <Orion server IP address> 2055
    Note: Replace <interface name> with the interface name that will be used to send exports to Orion NTA. This interface must be on the same side of the ASA as the Orion server.
  2. (config)#flow-export template timeout-rate <#_minutes>
    This command sets the interval, in minutes, at which template information is sent to your NTA server. The default is 1 minutes, and this will probably work in most cases.
  3. (config)# flow-export delay flow-create <#_seconds>
    This command sets the flow-create delay to allow short-lived, identical flows to be exported as a single flow if they occur during the specified delay period. Setting this delay to 60 seconds should work for most environments.
  4. (config)# logging flow-export-syslogs disable
    This setting is optional, but it is recommended, as it eliminates the impact of flow-exported syslogs that may cause performance issues. This setting is not supported by all ASA software versions
  5. (config)# access-list netflow-export extended permit ip any any 
    This command defines an access list called netflow-export to specify the traffic of interest. The provided syntax includes all traffic.
  6. (config)# class-map netflow-export-class
    This command enters class map configuration mode and defines a class callednetflow-export-class.
  7. (config-cmap)# match access-list netflow-export
    This command maps the netflow-export access list to the defined netflow-export-class class.
  8. (config)# policy-map <existing global policy name>
    This command enters policy map configuration mode for an existing policy-map.  For example, policy-map global-policy.
  9. (config-pmap)# class netflow-export-class

​   This command maps the netflow-export-class class to the defined netflow-policy policy.

   10. (config-pmap-c)# flow-export event-type all destination <Orion server IP address>
       This command defines both the NSEL event types (all) to be exported and the export target (your Orion NTA server).

  11. (config)#flow-export enable
       This command applies to ASA version 8.1 only and was deprecated in 8.2

 

 

Last modified
08:55, 29 Jun 2016

Tags

Classifications

Public