Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
5
Replies

Netflow packets not getting to inside network

travis.wright
Level 1
Level 1

‎05-15-2007 10:06 AM - edited ‎03-11-2019 03:14 AM

I have an external router set up for Netflow with a destination ip address of an internal host which has the netflow Analyzer software on it. I have mirrored the configuration on the inside router which is talking just fine with the Netflow server. I am doing PAT on the outside interface of the firewall with ip address of x.x.x.131, and the outside interface has an ip address of x.x.x.130, and the interface on the router connected to the the outside interface of the firewall has an IP address of x.x.x.129. I have logging set to level 7 and am not seeing the udp port 9996 (netflow information) coming into the firewall. But when i do a

SECRTREXT01# show ip flow export

Flow export v5 is enabled for main cache

Exporting flows to internalsubnet.10.250 (9996)

Exporting using source interface FastEthernet0/1

Version 5 flow records

9780 flows exported in 360 udp datagrams

0 flows failed due to lack of export packet

359 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

The interface connecting to the PIX as you see above is F0/1. I had put an access-list on this interface outbound allowing anything and logging but nothing showed for port 9996? insidehost10.250 is being patted to a x.x.x.131. Could this be a routing problem? I have a default route (gateway of last resort) pointing to the upstream LEC router, which is matched only after the destination does not match anything in the x.x.x.128-160 range (/27).

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎05-15-2007 11:15 PM

Hi

Your netflow output is saying it exporting flows to "internalsubnet.10.250". But you need to tell your netflow to export flows to your x.x.x.131 address as this is the address the netflow router knows how to get to.

One other point. When you say you have patted the internal server do you mean you have entry on your firewall as such

static (inside,outside) x.x.x.131 internalsubnet.10.250 netmask 255.255.255.255

You will need this.

HTH

Jon

0 Helpful

travis.wright
Level 1
Level 1
In response to Jon Marshall

‎06-04-2007 06:49 AM

Ok thanks a lot... So if i point the netflow to .131 then it will now go in the right direction and hit my firewall, but from there how will it get to the Netflow server without me having to translate 10.250? I am thinking i should set up a static translation to a different global routable IP x.x.x.136 for the Netflow server and point the flows to that ip address. Right now everything going out to the internet is translated as a .131+port so using a different .128/27 ip i am sure will do the trick.. What do you think?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to travis.wright

‎06-04-2007 08:52 AM

Hi

I think what you suggest is the best way to achieve what you are trying to do. Use a separate public IP address for the Netflow server and then set up a static translation + the acl rules to allow the netflow traffic through from the router.

Let me know how you get get on

Jon

0 Helpful

travis.wright
Level 1
Level 1
In response to Jon Marshall

‎06-04-2007 09:28 AM

Thanks a lot. I know this will work definitely. I just have to wait for the approval. I know this is changing directions but do you have any suggestions on how i would engineer an architecture where i will have 2 failover pais? They will be PIX 515E's. The top firewalls will be hosting our DMZs and the outside internet of course,. and the bottom pair will be servicing our trusted and restricted segments. The segment design is good but aside from the failover cables i am thinking that the outside interfaces of the bottom firewalls will link directly to the inside interfaces of the top firewalls. However i am thinking that if the bottom or top fails over,.. how will it have to be designed so that the failover pix will communicate with the other primary firewall? I have it designed such that i have an interface on the bottom primary to the top secondary and vice versa. each interface is in a different network of course,.. but how will i do the routing? Since i can only point a default route to 1 IP address. I plan on using stateful failover cables for both UR and FO firewall pairs,.. but any suggestions on how to set up the routing so that the top or bottom of the "sandwich" can still talk to the other half once a failover on the top or bottom occurs? Thanks in advance.

0 Helpful

dphills18
Level 1
Level 1
In response to travis.wright

‎02-15-2008 02:32 PM

did you ever get this to work. we are having the exact same issues.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card