1 Reply Latest reply on Nov 2, 2009 2:51 PM by Andy McBride

    Netflow configuration on Cisco ASA


      I need some help... I see alot of posts regarding Netflow Traffic Analysis working on Cisco ASA's but I'm struggling.  Like many of you I'm trying to find out (as close to realtime as possible) which of my users, servers, or applications is "chewing up my edge". 

      I originally had netflow configured on my core (Catalyst 6509) but thats slightly weird since its not that intuitive (monitoring vlans versus a port).  I'd get data in the report but it didn't look anything like the tutorials on the Solarwinds site. so i thought it'd be better if the reporting (the netflow data) was coming from the edge (i.e. my ASA 5520).  Sooo... Saturday I upgraded my firewalls to 8.2(1) and crossed my fingers.  My new problem is that it's even more non-specific.  What used to be identified as a server name is now only referenced by the external IP address on the firewall  (a server MMWFE1.mmllc.moneymailer.com is now rrcs-76-79-252-140.west.biz.rr.com)

      A call to Solarwinds support this morning led to a call to Cisco TAC to help configure netflow for the ASA.. FYI.. the link on the Solarwinds KB 1264 below is not definitive.. don't type it into your config verbatim.   The verbiage in italics is only an example... you want to add your "class map" to the correct "policy map" otherwise the device won't send any netflow data anywhere.

      The Cisco engineer pointed me to the article below but I explained that Solarwinds infact does support the ASA's in the newest release.  He promises to update the article.  He also helped me configure correctly (class-map and policy-map, etc) and now the ASA is sending data to Netflow Traffic Analysis.

      below is a pic of what the report looks like... if you can share pics of what yours looks like I'd appreciate it... thanks