cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2559
Views
0
Helpful
3
Replies

Netflow for IPSec Tunnel

pratik_193
Level 1
Level 1

hey guys..

I have a question.

We have 2 different offices at 2 different locations, these locations are connected via a VPN tunnel (IPSec, site to site) configured on Cisco ASA Firewall on both the sides. We do see the netflow between these two locations , but we do not get the exact server details on both the ends in netflow, only detail that we get is the outside IP of both the firewalls.

Below is the scenario & what we want to achieve.



Location A , Server A --> Firewall at location A --> IPSec tunnel  -->Firewall at location B -->Server B



What is happening now is that in NTA, we get the source & destination as Outside Interface on both the Firewall, what we want is the IP Address of Server A & Server B as source & destination.



Is the above achievable?

1 Accepted Solution

Accepted Solutions

Yes, once you apply the service-policy to the inside interface where the traffic you want to monitor is ingressing the ASA, you will see the correct source and destination IPs.  Unless you have some other device further into your network that is performing NAT, then you will see the NATed address.

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 Replies 3

to which interface did you apply the service-policy?  From the sounds of it you applied it to the outside interface, this will show the source and destination as the public / ASA interface IPs.  Apply the service-policy to the inside interface on the ASA and you should see the correct source and destination IPs.

--

Please rate all helpful posts.

--
Please remember to select a correct answer and rate helpful posts

hi maruis,

Yes , we have applied the service-policy on the outside interface. If we change the service policy to inside interface, will we be able to view the exact source & destination IP of the servers behind the firewall?

Yes, once you apply the service-policy to the inside interface where the traffic you want to monitor is ingressing the ASA, you will see the correct source and destination IPs.  Unless you have some other device further into your network that is performing NAT, then you will see the NATed address.

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: