This is a complex issue so I appologize if it sounds confuzing. We initially tried to enable netflow on our ASA 5510 but realized that the ASA does not support version 5 netflow. So we turned to our Cisco 2800 router.
Diagram:
Inside Interface ------ ASA ------- Outside Interface ------ Cisco Router
192.168.200.1 ------- ASA -------- 10.100.12.5 ------- 10.100.12.1
Note: these IP's are fake
Issue: Basically, since the ASA does not provide version 5 netflow we decided to use the Cisco 2800 series router to provide the netflow data we need. The issue is the router is on the outside interface of our firewall. So I made an Access rule to allow netflow data from the router to the outside interface of the ASA.
Source IP - 10.100.12.1, Destination IP - 10.100.12.5 on port 2055
The inside network already has access to the outside interface
- I try to setup a new device on the Real Netflow Analyzer for IP 10.100.12.5 (ASA outside interface) but the connection fails.
- I try to setup a new device on the Real Netflow Analyzer for IP 192.168.200.1 (ASA inside interface) and the connection works but when I try to start a flow capture it gives me an error. "Netflow is not detected on the selected interface". I picked the outside interface.
- I try to setup a new device on the Real Netflow Analyzer for IP 10.100.12.1 (Cisco Router) but my ISP will not give me the SNMP community string to access the router. They said I should be able to access the netflow data from my outside interface (this is where they routed the data).
Question: Am I going about this the right way? I have a feeling that the only way it will work is if our ISP gives up the community string and allows us to collect the netflow data directly from the router. Could it be that the outside interface should work and we have an incorrect setting?
Things I know: our ISP confirmed that the netflow data is being exported. I am also able to ping the ISP router from the server that is collecting the data.