Monitoring NAT using netflow 9

Unanswered Question
Feb 8th, 2010

Hi all,

I have a question regarding netflow and NAT. I have read some documentation (on ASR1000) regarding monitoring NAT process on Cisco ASR1000 that can be done using netflow version 9 (the term was called netflow event logging a.k.a NEL). The problem is, I have not found the netflow collector that can do that. I have queried several software such as manage engine "Netflow Analyzer" and Lancope, but they said their software can not do that. Does anyone has experience on this? Can anyone refer me the software that can be used to do this please.

Regards,

Even

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
prima.ramadhan Mon, 02/15/2010 - 05:28

Hi All,

anybody knows? I have tried to read several documents. It seems that the capability that cause ASR1000 to be able to send NAT translation process using netflow is called Netflow Event Logging. I'm just wondering whether this feature is pecific to ASR or not. Do you guys have anything in mind? Please share.

Regards,

Even

jakewilson Wed, 02/24/2010 - 03:01

Hello,

My guess is that Scrutinizer from plixer.com can display the NEL data from the ASR 1000 using Flow View:

(above taken with Scrutinizer v7.6).  Most NetFlow Analyzers need to see octetDeltaCount or something similiar in a flow else they drop it.  Scrutinizer works a bit differently.

Once you can view the data, do you want to alarm for something? Would it be possible to get a wireshark capture from you?

Jake

davidfarjecalderon Thu, 11/10/2011 - 14:24

Can anyone confirm is ASR 1006 Netflow Event Logging is the same as Cisco ASA's NSEL?   Would it be safe to assume that a netflow collector that supports NSEL would also be able to support ASR 1006's NEL?

jakewilson Thu, 11/10/2011 - 17:39

Hello David,

If you send the folks at plixer.com a packet capture of the netflow coming from your ASR 1006 we can confirm that the Netflow Event Logging is the same as Cisco ASA's NSEL. 

Jake

davidfarjecalderon Fri, 11/11/2011 - 06:17

I will test it myself with scrutinizer and nfdump with nsel extensions.   I'll post my findings

Don Jacob Sun, 11/13/2011 - 22:18

Hi David,

Though I have not seen the difference personally, as far as I have read, the NetFlow event logging from ASR is specifically for NAT events. It lets users export NAT syslogs via NetFlow v9. The events are translation created or deleted in NAT entry and translation could not be created. Just one command is used: ip nat log translations flow-export v9 udp destination 1.1.1.1 9996

The NSEL from Cisco ASA can help in complete traffic analytics by giving information on each IP traffic conversation and is related to a flow creation and tear down and not only NAT. The ASA NSEL can also show pre and post NAT port and IP Address of a conversation if NAT applies to that conversation,

I think a flow analyzer tool should be designed to handle the NetFlow event logging from ASR as there are additional field id's involved in this type of NetFlow. I believe the Cisco NetFlow Collector6 supports the NetFlow event logging from ASR.

Regards,

Don Thomas Jacob

www.netflowanalyzer.com

NOTE: Please rate posts and close questions if you have got your answer.

davidfarjecalderon Mon, 11/14/2011 - 05:43
Through my tests with nfdump-NSEL I found it did not work simply because the ASR NEL
is a different flow template with different type fields.

/* ASR NEL flow template */
templateId=259: id=259, fields=11     field id=8 (ipv4 source address), offset=0, len=4     field id=225 (natInsideGlobalAddress), offset=4, len=4     field id=12 (ipv4 destination address), offset=8, len=4     field id=226 (natOutsideGlobalAddress), offset=12, len=4     field id=7 (transport source-port), offset=16, len=2     field id=227 (postNAPTSourceTransportPort), offset=18, len=2     field id=11 (transport destination-port), offset=20, len=2     field id=228 (postNAPTDestinationTransportPort), offset=22, len=2     field id=234 (ingressVRFID), offset=24, len=4     field id=4 (ip protocol), offset=28, len=1     field id=230 (natEvent), offset=29, len=1

looking at the nfdump NSEL struct and array, it does not include some of the NEL fields.

/* nfdump netflow_v9.c NSEL struct */

static struct nsel_element_info_s {

        uint16_t        min;

        uint16_t        max;

} nsel_element_info[18] = {

        // nsel common

        { 1, 1 },       //  0 - FW_EVENT

        { 2, 2 },       //  1 - FW_EXT_EVENT

        { 8, 8 },       //  2 - EVENT_TIME_MSEC

        { 4, 4 },       //  3 - FLOW_BYTES

        { 4, 4 },       //  4 - NF_CONN_ID

        { 1, 1 },       //  5 - NF_ICMP_TYPE_V4

        { 1, 1 },       //  6 - NF_ICMP_CODE_V4

        { 1, 1 },       //  7 - NF_ICMP_TYPE_6

        { 1, 1 },       //  8 - NF_ICMP_CODE_6

        { 12, 12 }, //  9 - INGRESS_ACL_ID

        { 12, 12 }, //  10 - EGRESS_ACL_ID

        { 4, 4 },       //  11 - XLATE_SRC_ADDR_4

        { 4, 4 },       //  12 - XLATE_DEST_ADDR_4

        { 2, 2 },       //  13 - XLATE_SRC_PORT

        { 2, 2 },       //  14 - XLATE_DST_PORT

        { 20, 20 }, //  15 - USERNAME

        { 65, 65 }, //  16 - USERNAME_MAX

        { 0, 0 },       //  17 - empty

};

There is also a Cisco document aimed at collector developers to implement NSEL support, it does not mention some of the type fields in the NEL flow template.

http://www.cisco.com/en/US/docs/security/asa/asa81/netflow/netflow.html

jakewilson Wed, 11/16/2011 - 18:24

If you send the folks at plixer a packet capture and tell them what reports you want, they can build them for you.  We have a release coming up.

lmcruzhsa Wed, 09/26/2012 - 02:15

Hi David, do you know if NFdump is able now to read NEL messages properly?

Actions

This Discussion