Hi
I'm currently using ManageEngine Netflow Analyzer ver. 8 and so far its has been good. My issue is that, I have 2 Cisco ASA5510 running on version 8.2(2). One firewall sits at the Data Center which is another location and one sits here in the office.
I'm able to add the office ASA to the dashboard based on the recommended configuration since its just internal network. But I'm unable to add the ASA from the Data Center which is another location considering I have added the recommended configuration wherein the only difference is that I have pointed to the public ip address of our firewall on the outside interface. I have already permitted "udp any any" on both firewalls both for incoming and outgoing interface yet still no luck. We have site to site VPN from my office to data center wherein I have configured netflow to sent packets via vpn using the internal ip address of the server in our office, yet still no luck.
See below configuration of my ASA.
===========
OFFICE ASA
===========
interface Ethernet0/0
nameif outside
security-level 0
ip address 203.XX.XX.65 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 174.17.2.1 255.255.255.0
access-list acl_in extended permit icmp any any
access-list acl_in extended permit tcp any any
access-list acl_in extended permit udp any any
access-list acl_out extended permit udp any any
access-list netflow-export extended permit ip any any
access-group acl_out in interface outside
access-group acl_in in interface inside
flow-export destination inside 174.17.2.99 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
class-map netflow-export-class
match access-list netflow-export
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map ntop-netflow-export-policy
class netflow-export-class
flow-export event-type all destination 174.17.2.114
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
policy-map netflow-export-policy
class netflow-export-class
flow-export event-type all destination 174.17.2.99
!
service-policy netflow-export-policy global
=====================
DATA CENTER - ASA
=====================
interface Ethernet0/0
speed 10
nameif outside
security-level 0
ip address 203.XX.XX.50 255.255.255.240 standby 203.XX.XX.59
access-list INET_OUTBOUND extended permit udp any any
access-list INET_INBOUND extended permit udp any any
access-list netflow-export extended permit ip any any
access-group INET_INBOUND in interface outside
flow-export destination outside 174.17.2.99 9996
flow-export destination outside 203.116.29.65 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
class-map global-class1
match access-list netflow-export
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map global-policy1
class global-class1
flow-export event-type all destination 174.17.2.99 203.XX.XX.65
class class-default
flow-export event-type all destination 174.17.2.99 203.XX.XX.65
policy-map global-policy
!
service-policy global-policy1 global
Please help.
Cheers!
Dan