How to implement Netflow through VPN tunnel on the WAN router

Unanswered Question
Mar 29th, 2010

Site-to-site IPSec VPN tunnel is built between the hub datacenter and a remote site using ASA5505. The remote site ASA connects to a Cisco C2811 router and then goes to the ISP edge. The requirement is to enable Netflow on the WAN router and collect data. The Netflow Analyser (Solarwinds-Orion) resides in the hub datacenter's LAN.

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

Netflow Analyzer (10.1.1.10) --- (10.1.1.1)ASA1(123.1.2.1) ---- (123.1.2.2)Router1(125.5.5.5) ---->Internet< ----- (126.6.6.6)Router2(100.2.2.2)----(100.2.2.1)ASA2(10.2.1.1)---LAN

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman";}

I'd like to get Netflow stats on the WAN routers between IPSec devices. And the stats need to be encrypted. In other words, I do not want to send Netflow data across the public network. My thought was to send Netflow data through the IPSec tunnel. How can I accomplish this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jackawang Tue, 03/30/2010 - 12:22

I've heard "same-security-traffic permit intra-interface" needs to be configured on the ASA2 outside interface. Does anyone have a complete thought how to make it work? Any idea would be appreciated.

Actions

This Discussion