Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

allow netflow through pix 515e

i have a multilink connected to our isp that i want to monitor but it sits outside of our pix. how can i make this work? i searched this site but didnt find anything that applies to me. i attached a visio of our network.

im sure ill need a static nat and an acl.

thanks in advance - Jerry.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: allow netflow through pix 515e

1- Are you routing or NAT throught the firewall?

2- If you're routing through the firewall, does

the router have a static route so that it knows

how to get back to the netflow server?

3- If you're natting, are you natting everything

behind the firewall to 3.3.3.2? In other words:

nat (inside) 1 172.16.1.0 255.255.255.0

global (outside) 1 interface

4- If item #3 is true, what udp port is the

netflow running on the netflow server? I

know that freeware ipflow default is 20000,

what do you use?

5- do this:

static (inside,outside) tcp interface 20000 172.16.1.15 20000 netmask 255.255.255.255 (check the syntax).

access-list External permit icmp any any log

access-list External permit ip any any log (test)

access-group External in interface outside

now configure netflow on the router to point

to 3.3.3.2 and you will be good to go.

CCIE Security

4 REPLIES
Silver

Re: allow netflow through pix 515e

1- Are you routing or NAT throught the firewall?

2- If you're routing through the firewall, does

the router have a static route so that it knows

how to get back to the netflow server?

3- If you're natting, are you natting everything

behind the firewall to 3.3.3.2? In other words:

nat (inside) 1 172.16.1.0 255.255.255.0

global (outside) 1 interface

4- If item #3 is true, what udp port is the

netflow running on the netflow server? I

know that freeware ipflow default is 20000,

what do you use?

5- do this:

static (inside,outside) tcp interface 20000 172.16.1.15 20000 netmask 255.255.255.255 (check the syntax).

access-list External permit icmp any any log

access-list External permit ip any any log (test)

access-group External in interface outside

now configure netflow on the router to point

to 3.3.3.2 and you will be good to go.

CCIE Security

New Member

Re: allow netflow through pix 515e

1- nat - i have static routes to the inside - i can ping the netflow box from the pix.

2- no the isp router cannot ping netflow server via private ip - it can ping outside int of pix though.

3- yes - nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

4- were using 9996 udp

5- ill try and reply back.

thanks - jerry.

New Member

Re: allow netflow through pix 515e

in step five the "interface" keyword in the static nat is refering to outside int on the pix (3.3.3.2)?

thanks.

New Member

Re: allow netflow through pix 515e

that works - i pointed netflow on the internet router to one of our available public ip's, the i natted the public ip to the internal ip, then i allowed access to the netflow server via an acl incoming from the outside interface.

thanks!!!

386
Views
0
Helpful
4
Replies
CreatePlease to create content