cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1754
Views
4
Helpful
3
Replies

Netflow Internet Monitoring for Users behind Proxy

mo shea
Level 1
Level 1

Hi...

In one of our sites we have the following network layout.

User VLANS ---------> MS ISA --------> 4500 Sup 6E Switch ----------> 5520 ASA (7.2) -------------> 2821 Router ----------> INTERNET

I want to use NETFLOW services to monitor top talkers on my LAN. Since sup 6E does not support netflow, my only choice is

to use the 2821 router. I have 3 Questions?

1) Is it a best practise to keep the Netflow collector Server (SW Orion) on the inside (Core Switch) or on a DMZ?

2) Since all users in their respective VLANS are forced through MS ISA, the only IP that is NATted is the MS ISA one connected to the PIX. Will NETFLOW show the internal users as top talkers or it will simply show the ISA server IP as the source for all traffic, thus making this setup useful for port and destination monitoring, not for source per user?

3) Any better ideas to monitor top talkers for such a setup?

All Help is appreciated,

Regards,

Mo Shea

3 Replies 3

jakewilson
Level 1
Level 1

Hello Mo Shea,

1) we keep our NetFlow Analyzer (Scrutinizer) on the inside of the firewall.  It more features and integrates with Solarwinds.

http://forums.plixer.com/viewtopic.php?f=15&t=1695&hilit=solarwinds

2) yes, the ASA will show the internal IP addresses.  See the attached screen capture. Be aware of the ASA NetFlow Export:

http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf

3) Don't forget about nprobe from http://www.ntop.org.  here's how to set it up:

http://www.plixer.com/blog/netflow/how-to-configure-windows-nprobe-to-send-netflow/

Have Fun,

Jake

Thanks Jake for the feedback,

I will be exporting Netflow from my 2821 router since my ASA (5520 7.2) doesnt support it. I was concerned how I would send it all they way from the router to the inside, since the Netflow collector will have a private ip whereas Router has public on all of its interfaces?

Any ideas?

Regards,

Mo Shea

In many cases, the private IP (e.g. 10.1.1.1) of the router would get masqueraded to the public IP.  For this reason, if you have to export NetFlow from more than 1 router over the internet, a 1:1 NAT should be used other wise all the exports will appear to be from the same router.  This is probably not ideal.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco