Cisco Cisco ASA 5525-X Adaptive Security Appliance
30
Cisco ASA NetFlow Implementation Guide
Examples for NSEL (CLI)
Log all events between hosts 209.165.200.224 and hosts 209.165.201.224 to 209.165.200.230, and log
all other events to 209.165.201.29:
all other events to 209.165.201.29:
ciscoasa(config)# access-list flow_export_acl permit ip host 209.165.200.224 host
209.165.201.224
ciscoasa(config)# class-map flow_export_class
ciscoasa(config-cmap)# match access-list flow_export_acl
ciscoasa(config)# policy-map flow_export_policy
ciscoasa(config-pmap)# class flow_export_class
ciscoasa(config-pmap-c)# flow-export event-type all destination 209.165.200.230
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# flow-export event-type all destination 209.165.201.29
ciscoasa(config)# service-policy flow_export_policy global
Log flow-create events to 209.165.200.230, flow-teardown events to 209.165.201.29, flow-denied
events to 209.165.201.27, and flow-update events to 209.165.200.230:
events to 209.165.201.27, and flow-update events to 209.165.200.230:
ciscoasa(config)# policy-map flow_export_policy
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# flow-export event-type flow-creation destination 209.165.200.230
ciscoasa(config-pmap-c)# flow-export event-type flow-teardown destination 209.165.201.29
ciscoasa(config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27
ciscoasa(config-pmap-c)# flow-export event-type flow-update destination 209.165.200.230
ciscoasa(config)# service-policy flow_export_policy global
Log flow-create events between hosts 209.165.200.224 and 209.165.200.230 to 209.165.201.29, and log
all flow-denied events to 209.165.201.27:
all flow-denied events to 209.165.201.27:
ciscoasa(config)# access-list flow_export_acl permit ip host 209.165.200.224 host
209.165.200.230
ciscoasa(config)# class-map flow_export_class
ciscoasa(config)# match access-list flow_export_acl
ciscoasa(config)# policy-map flow_export_policy
ciscoasa(config-pmap)# class flow_export_class
ciscoasa(config-pmap-c)# flow-export event-type flow-creation destination 209.165.200.29
ciscoasa(config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27
ciscoasa(config-pmap)# class class-default
ciscoasa(config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27
ciscoasa(config)# service-policy flow_export_policy global
Note
You must enter the following command:
ciscoasa(config-pmap-c)# flow-export event-type flow-denied destination
209.165.201.27
for flow_export_acl, because traffic is not checked after the first match, and you must explicitly
define the action to log flow-denied events that match flow_export_acl.
for flow_export_acl, because traffic is not checked after the first match, and you must explicitly
define the action to log flow-denied events that match flow_export_acl.
Log all traffic except traffic between hosts 209.165.201.27 and 209.165.201.50 to 209.165.201.27:
ciscoasa(config)# access-list flow_export_acl deny ip host 209.165.201.27 host
209.165.201.50
ciscoasa(config)# access-list flow_export_acl permit ip any any
ciscoasa(config)# class-map flow_export_class
ciscoasa(config-cmap)# match access-list flow_export_acl
ciscoasa(config)# policy-map flow_export_policy
ciscoasa(config-pmap)# class flow_export_class
ciscoasa(config-pmap-c)# flow-export event-type all destination 209.165.201.27
ciscoasa(config)# service-policy flow_export_policy global