NetFlow is a protocol initially developed by Cisco but it is also supported on many other network devices. NetFlow’s purpose is to collect IP traffic information and send the collected records to a NetFlow Collector server or NetFlow Analyzer. NetFlow is useful for administrators to have an inside-view to the traffic passing through the network and collect information about bandwidth usage, type of traffic, traffic volume etc.
Only Cisco IOS Routers were supporting NetFlow in the past. Regarding Cisco ASA, NetFlow was only supported on Cisco ASA 5580 with software version 8.1. With the introduction of Cisco ASA software version 8.2, NetFlow is now supported on ALL ASA Models. This new feature on ASA is called NetFlow Security Event Logging (NSEL) which is an adaptation of NetFlow version 9.
Configuring NetFlow on Cisco ASA:
There are three event types that trigger the creation of a NetFlow record. These are flow-create, flow-denied, flow-teardown. You can use all as well to trigger a netflow record for all events. You need to define a netflow collector IP address to which the ASA appliance will send flow records. You can use the Modular Policy Framework to customize the details of NetFlow functionality.
Example: Log Flow Creation events between hosts 10.1.1.1 and 10.2.2.2
The Internal NetFlow Collector server is 192.168.100.1
ASA (config)# flow-export destination inside 192.168.100.1 2055
ASA (config)# access-list flow_export_acl permit ip host 10.1.1.1 host 10.2.2.2
ASA (config)# class-map flow_export_class
ASA (config-cmap)# match access-list flow_export_acl
ASA (config)# policy-map flow_export_policy
ASA (config-pmap)# class flow_export_class
ASA (config-pmap-c)# flow-export event-type flow-creation destination 192.168.100.1
! You can use also event-type all to trigger records for all flow events
ASA (config)# service-policy flow_export_policy global
! Disable Logging for flow export events for performance increase
ASA (config)# logging flow-export syslogs disable