cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12160
Views
5
Helpful
11
Replies

Monitoring NAT using netflow 9

prima.ramadhan
Level 1
Level 1

Hi all,

I have a question regarding netflow and NAT. I have read some documentation (on ASR1000) regarding monitoring NAT process on Cisco ASR1000 that can be done using netflow version 9 (the term was called netflow event logging a.k.a NEL). The problem is, I have not found the netflow collector that can do that. I have queried several software such as manage engine "Netflow Analyzer" and Lancope, but they said their software can not do that. Does anyone has experience on this? Can anyone refer me the software that can be used to do this please.

Regards,

Even

11 Replies 11

prima.ramadhan
Level 1
Level 1

Hi All,

anybody knows? I have tried to read several documents. It seems that the capability that cause ASR1000 to be able to send NAT translation process using netflow is called Netflow Event Logging. I'm just wondering whether this feature is pecific to ASR or not. Do you guys have anything in mind? Please share.

Regards,

Even

Hello,

My guess is that Scrutinizer from plixer.com can display the NEL data from the ASR 1000 using Flow View:

(above taken with Scrutinizer v7.6).  Most NetFlow Analyzers need to see octetDeltaCount or something similiar in a flow else they drop it.  Scrutinizer works a bit differently.

Once you can view the data, do you want to alarm for something? Would it be possible to get a wireshark capture from you?

Jake

One of best choise analysing L3/4 performance using Netflow/Sflow/IPFix is Crannog Netflow Tracker in my opinion:)

http://www.flukenetworks.com/fnet/en-us/products/NetFlow+Tracker/Specifications.htm

With Open Source nfsen/nfdump should be Type-9 able and if you wait nTop will it be in the future, v3.4 is Beta currently.

Steffen

Can anyone confirm is ASR 1006 Netflow Event Logging is the same as Cisco ASA's NSEL?   Would it be safe to assume that a netflow collector that supports NSEL would also be able to support ASR 1006's NEL?

Hello David,

If you send the folks at plixer.com a packet capture of the netflow coming from your ASR 1006 we can confirm that the Netflow Event Logging is the same as Cisco ASA's NSEL. 

Jake

I will test it myself with scrutinizer and nfdump with nsel extensions.   I'll post my findings

Hi David,

Though I have not seen the difference personally, as far as I have read, the NetFlow event logging from ASR is specifically for NAT events. It lets users export NAT syslogs via NetFlow v9. The events are translation created or deleted in NAT entry and translation could not be created. Just one command is used: ip nat log translations flow-export v9 udp destination 1.1.1.1 9996

The NSEL from Cisco ASA can help in complete traffic analytics by giving information on each IP traffic conversation and is related to a flow creation and tear down and not only NAT. The ASA NSEL can also show pre and post NAT port and IP Address of a conversation if NAT applies to that conversation,

I think a flow analyzer tool should be designed to handle the NetFlow event logging from ASR as there are additional field id's involved in this type of NetFlow. I believe the Cisco NetFlow Collector6 supports the NetFlow event logging from ASR.

Regards,

Don Thomas Jacob

www.netflowanalyzer.com

NOTE: Please rate posts and close questions if you have got your answer.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

Through my tests with nfdump-NSEL I found it did not work simply because the ASR NEL
is a different flow template with different type fields.

/* ASR NEL flow template */
templateId=259: id=259, fields=11     field id=8 (ipv4 source address), offset=0, len=4     field id=225 (natInsideGlobalAddress), offset=4, len=4     field id=12 (ipv4 destination address), offset=8, len=4     field id=226 (natOutsideGlobalAddress), offset=12, len=4     field id=7 (transport source-port), offset=16, len=2     field id=227 (postNAPTSourceTransportPort), offset=18, len=2     field id=11 (transport destination-port), offset=20, len=2     field id=228 (postNAPTDestinationTransportPort), offset=22, len=2     field id=234 (ingressVRFID), offset=24, len=4     field id=4 (ip protocol), offset=28, len=1     field id=230 (natEvent), offset=29, len=1

looking at the nfdump NSEL struct and array, it does not include some of the NEL fields.

/* nfdump netflow_v9.c NSEL struct */

static struct nsel_element_info_s {

        uint16_t        min;

        uint16_t        max;

} nsel_element_info[18] = {

        // nsel common

        { 1, 1 },       //  0 - FW_EVENT

        { 2, 2 },       //  1 - FW_EXT_EVENT

        { 8, 8 },       //  2 - EVENT_TIME_MSEC

        { 4, 4 },       //  3 - FLOW_BYTES

        { 4, 4 },       //  4 - NF_CONN_ID

        { 1, 1 },       //  5 - NF_ICMP_TYPE_V4

        { 1, 1 },       //  6 - NF_ICMP_CODE_V4

        { 1, 1 },       //  7 - NF_ICMP_TYPE_6

        { 1, 1 },       //  8 - NF_ICMP_CODE_6

        { 12, 12 }, //  9 - INGRESS_ACL_ID

        { 12, 12 }, //  10 - EGRESS_ACL_ID

        { 4, 4 },       //  11 - XLATE_SRC_ADDR_4

        { 4, 4 },       //  12 - XLATE_DEST_ADDR_4

        { 2, 2 },       //  13 - XLATE_SRC_PORT

        { 2, 2 },       //  14 - XLATE_DST_PORT

        { 20, 20 }, //  15 - USERNAME

        { 65, 65 }, //  16 - USERNAME_MAX

        { 0, 0 },       //  17 - empty

};

There is also a Cisco document aimed at collector developers to implement NSEL support, it does not mention some of the type fields in the NEL flow template.

http://www.cisco.com/en/US/docs/security/asa/asa81/netflow/netflow.html

If you send the folks at plixer a packet capture and tell them what reports you want, they can build them for you.  We have a release coming up.

Hi David, do you know if NFdump is able now to read NEL messages properly?

jakewilson
Level 1
Level 1

Hello, 

We added several NAT reports in our latest release of Scrutinizer.  It was tested on the ASR and Palo Alto Networks.  Contact us with any questions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco