Cisco Systems ASA5515K9, ASA 5500 Configuration Examples for NSEL

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter78 Configuring NetFlow Secure Event Logging (NSEL)

Configuration Examples for NSEL

Configuration Examples for NSEL

The following examples show how to filter NSEL events, with the specified collectors already

•flow-export destination inside 209.165.200.2055

•flow-export destination outside 209.165.201.29 2055

•flow-export destination outside 209.165.201.27 2055

Log all events between hosts 209.165.200.224 and hosts 209.165.201.224 to 209.165.200.230, and log

all other events to 209.165.201.29:

hostname (config)# access-list flow_export_acl permit ip host 209.165.200.224 host

209.165.201.224

hostname (config)# class-map flow_export_class

hostname (config-cmap)# match access-list flow_export_acl

hostname (config)# policy-map flow_export_policy

hostname (config-pmap)# class flow_export_class

hostname (config-pmap-c)# flow-export event-type all destination 209.165.200.230

hostname (config-pmap)# class class-default

hostname (config-pmap-c)# flow-export event-type all destination 209.165.201.29

hostname (config)# service-policy flow_export_policy global

Log flow-create events to 209.165.200.230, flow-teardown events to 209.165.201.29, flow-denied

events to 209.165.201.27, and flow-update events to 209.165.200.230:

hostname (config)# policy-map flow_export_policy

hostname (config-pmap)# class class-default

hostname (config-pmap-c)# flow-export event-type flow-creation destination 209.165.200.230

hostname (config-pmap-c)# flow-export event-type flow-teardown destination 209.165.201.29

hostname (config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27

hostname (config-pmap-c)# flow-export event-type flow-update destination 209.165.200.230

hostname (config)# service-policy flow_export_policy global

Log flow-create events between hosts 209.165.200.224 and 209.165.200.230 to 209.165.201.29, and log

all flow-denied events to 209.165.201.27:

hostname (config)# access-list flow_export_acl permit ip host 209.165.200.224 host

209.165.200.230

hostname (config)# class-map flow_export_class

hostname (config)# match access-list flow_export_acl

hostname (config)# policy-map flow_export_policy

hostname (config-pmap)# class flow_export_class

hostname (config-pmap-c)# flow-export event-type flow-creation destination 209.165.200.29

hostname (config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27

hostname (config-pmap)# class class-default

hostname (config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27

hostname (config)# service-policy flow_export_policy global

Note You must enter the following command:

hostname (config-pmap-c)# flow-export event-type flow-denied destination 209.165.201.27

for flow_export_acl, because traffic is not checked after the first match, and you must explicitly define

the action to log flow-denied events that match flow_export_acl.

Log all traffic except traffic between hosts 209.165.201.27 and 209.165.201.50 to 209.165.201.27:

hostname (config)# access-list flow_export_acl deny ip host 209.165.201.30 host

209.165.201.50

Contents