The Cisco Secure Firewall ASA supports Netflow (Version 9), also referred to as Netflow Secure Event Logging (NSEL). NSEL provides information about network users, applications, traffic usage across the network and can help determine Denial-of-Service (DoS) attacks.

• Netflow v9 uses templates which describes the netflow data.
• Netflow events tracked include flow-create, flow-teardown, flow-denied and flow-update.
• NSEL generates periodic NSEL events, called flow-update events, to provide byte counters over the duration of the flow.
• SYSLOG messages can include the same information, these can be disabled to avoid duplication of events using the command – logging flow-export-syslogs disable.
• NSEL Collectors are the Netflow servers that receive the flow events from the ASA. Multiple Collectors can be configured, with different flows sent to different collectors. I.e., denied flow events sent to collector A and flow creation events sent to collector B.

https://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/asa_netflow.html

Configuration

The following NSEL configuration is applied on the ASA Firewall, it is assumed the basic configuration of the ASA is already setup.

The flow export destination interface, IP address and port is defined globally.

flow-export destination INSIDE 192.168.10.101 2055

Specify the interval at which template records are sent to all configured output destinations.

flow-export template timeout-rate 1

An Access Control List is configured to specify which traffic should be matched.

access-list FLOW-DENY extended permit ip 192.168.10.0 255.255.255.0 any

access-list FLOW-ALL extended permit ip 192.168.11.0 255.255.255.0 any

Class-maps are created to match the traffic referencing the ACLs.

class-map CM-FLOW-ALL
 match access-list FLOW-ALL
!
class-map CM-FLOW-DENY
 match access-list FLOW-DENY

The default policy-map global_policy will be modified to export flows that match the class-map/ACL. Denied event traffic matching the CM-FLOW-DENY class-map and all netflow events matching CM-FLOW-ALL class-map will be sent to the flow collector.

policy-map global_policy
 class CM-FLOW-DENY
  flow-export event-type flow-denied destination 192.168.10.101
 class CM-FLOW-ALL
  flow-export event-type all destination 192.168.10.101
!
service-policy global_policy global

Disable Netflow related SYSLOG messages.

Optional disabling of netflow SYSLOG messages.

ASA(config)# show logging flow-export-syslogs
Syslog ID       Type                           Status
302013          Flow Created                   Enabled
302015          Flow Created                   Enabled
302017          Flow Created                   Enabled
302020          Flow Created                   Enabled
302014          Flow Deleted                   Enabled
302016          Flow Deleted                   Enabled
302018          Flow Deleted                   Enabled
302021          Flow Deleted                   Enabled
106015          Flow Denied                    Enabled
106023          Flow Denied                    Enabled
313001          Flow Denied                    Enabled
313008          Flow Denied                    Enabled
710003          Flow Denied                    Enabled
106100          Flow Created/Denied            Enabled

Disable netflow SYSLOG messages using the command logging flow-export-syslogs disable

ASA(config)# show logging flow-export-syslogs
Syslog ID       Type                           Status
302013          Flow Created                   Disabled
302015          Flow Created                   Disabled
302017          Flow Created                   Disabled
302020          Flow Created                   Disabled
302014          Flow Deleted                   Disabled
302016          Flow Deleted                   Disabled
302018          Flow Deleted                   Disabled
302021          Flow Deleted                   Disabled
106015          Flow Denied                    Disabled
106023          Flow Denied                    Disabled
313001          Flow Denied                    Disabled
313008          Flow Denied                    Disabled
710003          Flow Denied                    Disabled
106100          Flow Created/Denied            Disabled

Verification

From the ASA run show flow-export counters to confirm whether the ASA is sending netflow packets to the flow collector.

ASA(config)# show flow-export counters
destination: INSIDE 192.168.10.101 2055
Statistics:
packets sent                                      559
Errors:
block allocation failure                          0
invalid interface                                 0
template send failure                             0
no route to collector                             0
failed to get lock on block                       0
source port allocation failure                    0

Using PRTG Netflow tool is configured to receive netflow events from the ASA. The screenshot below confirms netflow data is received.

Selecting the top connections, we can determine flow events for traffic to/from 192.168.11.50, which matches the FLOW-ALL ACL on the ASA.

Run a packet capture to capture the netflow communication between the ASA and the collector.

From the output of a netflow packet below, we can confirm the ScrAddr is 192.168.11.50 (matching the FLOW-ALL ACL) and the Firewall Event is Flow created as well as the protocol/port information.

From the output of the netflow packet below, we can confirm the ScrAddr is 192.168.10.101 (matching the FLOW-DENY ACL), the Firewall Event is Flow denied by ingress ACL.

The Ingress ACL ID in the packet capture matches the hash of the ASA ACL combined with the hash of ACE line 1, as observed in the output below.