Netflow Internet Monitoring for Users behind Proxy

Unanswered Question
Mar 28th, 2010
User Badges:

Hi...


In one of our sites we have the following network layout.


User VLANS ---------> MS ISA --------> 4500 Sup 6E Switch ----------> 5520 ASA (7.2) -------------> 2821 Router ----------> INTERNET


I want to use NETFLOW services to monitor top talkers on my LAN. Since sup 6E does not support netflow, my only choice is

to use the 2821 router. I have 3 Questions?


1) Is it a best practise to keep the Netflow collector Server (SW Orion) on the inside (Core Switch) or on a DMZ?


2) Since all users in their respective VLANS are forced through MS ISA, the only IP that is NATted is the MS ISA one connected to the PIX. Will NETFLOW show the internal users as top talkers or it will simply show the ISA server IP as the source for all traffic, thus making this setup useful for port and destination monitoring, not for source per user?


3) Any better ideas to monitor top talkers for such a setup?


All Help is appreciated,


Regards,


Mo Shea

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
jakewilson Mon, 03/29/2010 - 12:55
User Badges:

Hello Mo Shea,


1) we keep our NetFlow Analyzer (Scrutinizer) on the inside of the firewall.  It more features and integrates with Solarwinds.

http://forums.plixer.com/viewtopic.php?f=15&t=1695&hilit=solarwinds


2) yes, the ASA will show the internal IP addresses.  See the attached screen capture. Be aware of the ASA NetFlow Export:

http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf


3) Don't forget about nprobe from http://www.ntop.org.  here's how to set it up:

http://www.plixer.com/blog/netflow/how-to-configure-windows-nprobe-to-send-netflow/


Have Fun,


Jake

Attachment: 
mo shea Mon, 03/29/2010 - 20:52
User Badges:

Thanks Jake for the feedback,


I will be exporting Netflow from my 2821 router since my ASA (5520 7.2) doesnt support it. I was concerned how I would send it all they way from the router to the inside, since the Netflow collector will have a private ip whereas Router has public on all of its interfaces?


Any ideas?


Regards,


Mo Shea

jakewilson Wed, 03/31/2010 - 11:12
User Badges:

In many cases, the private IP (e.g. 10.1.1.1) of the router would get masqueraded to the public IP.  For this reason, if you have to export NetFlow from more than 1 router over the internet, a 1:1 NAT should be used other wise all the exports will appear to be from the same router.  This is probably not ideal.

Actions

This Discussion