Cisco Cisco ASA 5510 Adaptive Security Appliance
8
Cisco ASA NetFlow Implementation Guide
About NSEL
source and destination NAT rules are not applied at the same time (the destination NAT rule is
applied first), so it is possible for a NetFlow record to be generated before both NAT rules are
applied or when only one NAT rule is available.
applied first), so it is possible for a NetFlow record to be generated before both NAT rules are
applied or when only one NAT rule is available.
These partial NAT translation templates are not needed for flow creation and delayed flow creation
events because both source and destination IP addresses need to be the same IP version for a flow
to be created.
events because both source and destination IP addresses need to be the same IP version for a flow
to be created.
Note
Template definitions are sent to all collectors, and you should use these IDs and definitions to
parse data records.
parse data records.
Templates for Flow Creation Events
Flow creation events indicate that a flow has been created by the ASA. This event is also a log of flows
that the ASA allows.
that the ASA allows.
describes the templates to use for flow creation events.
Table 5
Templates for Flow Creation Events
Description
Fields
IPv44 flow creation event with
common username size (20 chars)
common username size (20 chars)
NF_F_CONN_ID, NF_F_SRC_ADDR_IPV4,
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV4, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE, NF_F_ICMP_CODE,
NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_F_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV4, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE, NF_F_ICMP_CODE,
NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_F_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME
IPv44 flow creation event with
maximum username size (65 chars)
maximum username size (65 chars)
NF_F_CONN_ID, NF_F_SRC_ADDR_IPV4,
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV4, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE, NF_F_ICMP_CODE,
NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_F_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME_MAX
NF_F_SRC_PORT, NF_F_SRC_INTF_ID,
NF_F_DST_ADDR_IPV4, NF_F_DST_PORT,
NF_F_DST_INTF_ID, NF_F_PROTOCOL,
NF_F_ICMP_TYPE, NF_F_ICMP_CODE,
NF_F_XLATE_SRC_ADDR_IPV4,
NF_F_XLATE_DST_ADDR_IPV4,
NF_F_XLATE_SRC_PORT, NF_F_XLATE_DST_PORT,
NF_F_FW_EVENT, NF_F_FW_EXT_EVENT,
NF_F_EVENT_TIME_MSEC,
NF_F_FLOW_CREATE_TIME_MSEC,
NF_F_INGRESS_ACL_ID, NF_F_EGRESS_ACL_ID,
NF_F_USERNAME_MAX