Routing help with Cisco 2600

Unanswered Question
Jan 7th, 2008

Hi, I am wondering if this is possible. Our ISP's router is a Cisco 2600 and I am asking them to add the Netflow commands to it so we can see who is doing what on our router when it gets busy. However our Netflow server is on our Internal network. This 2600 connects to our Cisco 2950 switch and into a VLAN where the "outside" port of our Cisco Pix sits. The 2600's IP is the first IP of our Public IP scope for example, and the "outside" port of the Cisco Pix is the 2nd of the scope Now if I tell my ISP that the Netflow server is on what will need to be added to the Cisco 2600? I can't figure out how I can get this Netflow traffic from this 2600 to my LAN server.

Here is part of the 2600's config:

interface FastEthernet0/0

description Remote ISP Ethernet Interface

ip address

ip access-group 102 in

no ip proxy-arp

speed 100



interface FastEthernet0/1

description Local Corp Ethernet Interface

ip address

speed auto



ip classless

ip route

Many thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 01/07/2008 - 01:53


Do you have any spare public IP addresses ?.

If so supply this address to your ISP and then do a static translation on your pix eg.

static (inside,outside)

If you can't do this then you will need a route on the 2600

ip route



whiteford Mon, 01/07/2008 - 02:58

Thanks, my ISP will add the ip route and the various Netflow commands. Will I have to do something special on the Pix like enable on port 9996 (netflow) to

Richard Burts Mon, 01/07/2008 - 04:49


Yes I would expect that you would need to configure the PIX to permit the traffic from an outside source to an inside destination on the particular port. By default the PIX does not allow outside sources to initiate traffic to inside destinations so you will need configuration to permit this.



whiteford Mon, 01/07/2008 - 05:40

When I add the rule on the Pix rule:

Allow "routers ip" to "servers IP" on port 9996 (Netflow), the Pix firewall says "No NAT rule is configured for destination host "server IP" on the inside interface from the outside interface. Please configure a Static NAT or NAT Exemption rule for this host"

Shall I just let the Pix create the static translation rule?

Richard Burts Mon, 01/07/2008 - 05:43


I would think that having the PIX create the static translation would be good.



adam.sellhorn Mon, 01/07/2008 - 10:08

You will need something like:

static (inside,outside) netmask

Make sure you allow port 9996 through your outside acl to

Set netflow on router to deliver data to

dphills18 Fri, 02/15/2008 - 14:16

did this actually work, because i am having the exact same issue. craziest thing.


This Discussion