Cisco Cisco ASA 5512-X Adaptive Security Appliance - No Payload Encryption
20
Cisco ASA NetFlow Implementation Guide
Guidelines for NSEL
Extended Event Codes
Of the four high-level event codes, only two have extended event codes: the flow denial and flow
teardown event types. For the flow denied event, the list of extended event codes in
teardown event types. For the flow denied event, the list of extended event codes in
should suffice
to determine the reason why the flow was denied. However, for the flow teardown event, there are too
many event codes to list in this document, and the set of reasons is quite fluid.
many event codes to list in this document, and the set of reasons is quite fluid.
Guidelines for NSEL
Supported Features
•
IPv6 for the class-map, match access-list, and match any commands.
•
UDP payloads only.
Additional Guidelines
•
If you have previously configured flow-export actions using the flow-export enable command, and
you upgrade to a later version, then your configuration is automatically converted to the new
Modular Policy Framework flow-export event-type command, which is described under the
policy-map command.
you upgrade to a later version, then your configuration is automatically converted to the new
Modular Policy Framework flow-export event-type command, which is described under the
policy-map command.
•
If you have previously configured flow-export actions using the flow-export event-type all
command, and you upgrade to a later version, NSEL automatically begins issuing flow-update
records when necessary.
command, and you upgrade to a later version, NSEL automatically begins issuing flow-update
records when necessary.
•
Flow-export actions are not supported in interface-based policies. You can configure flow-export
actions in a class-map only with the match access-list, match any, or class-default commands. You
can only apply flow-export actions in a global service policy.
actions in a class-map only with the match access-list, match any, or class-default commands. You
can only apply flow-export actions in a global service policy.
•
You must use the threat detection feature to view bandwidth usage for NetFlow records (not
available in real-time).
available in real-time).
•
Make sure that you assign unique IP address and hostnames throughout the NetFlow configuration.
•
For more implementation details, see the following articles:
–
https://supportforums.cisco.com/docs/DOC-6113
–
https://supportforums.cisco.com/docs/DOC-6114
Configure NSEL Collectors (CLI)
You must have at least one configured collector before you can use NSEL, and you must configure NSEL
collectors before you can configure filters via Modular Policy Framework.
collectors before you can configure filters via Modular Policy Framework.
To configure an NSEL collector, perform the following steps:
Procedure
Step 1
Add an NSEL collector to which NetFlow packets may be sent.
flow-export destination
interface-name ipv4-address | hostname udp-port
Example:
ciscoasa(config)# flow-export destination inside 209.165.200.225 2002