Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Netflow for IPSec Tunnel

hey guys..

I have a question.

We have 2 different offices at 2 different locations, these locations are connected via a VPN tunnel (IPSec, site to site) configured on Cisco ASA Firewall on both the sides. We do see the netflow between these two locations , but we do not get the exact server details on both the ends in netflow, only detail that we get is the outside IP of both the firewalls.

Below is the scenario & what we want to achieve.



Location A , Server A --> Firewall at location A --> IPSec tunnel  -->Firewall at location B -->Server B



What is happening now is that in NTA, we get the source & destination as Outside Interface on both the Firewall, what we want is the IP Address of Server A & Server B as source & destination.



Is the above achievable?

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Re: Netflow for IPSec Tunnel

Yes, once you apply the service-policy to the inside interface where the traffic you want to monitor is ingressing the ASA, you will see the correct source and destination IPs.  Unless you have some other device further into your network that is performing NAT, then you will see the NATed address.

--

Please rate all helpful posts

-- Please remember to rate and select a correct answer
3 REPLIES
VIP Green

Netflow for IPSec Tunnel

to which interface did you apply the service-policy?  From the sounds of it you applied it to the outside interface, this will show the source and destination as the public / ASA interface IPs.  Apply the service-policy to the inside interface on the ASA and you should see the correct source and destination IPs.

--

Please rate all helpful posts.

-- Please remember to rate and select a correct answer
New Member

Netflow for IPSec Tunnel

hi maruis,

Yes , we have applied the service-policy on the outside interface. If we change the service policy to inside interface, will we be able to view the exact source & destination IP of the servers behind the firewall?

VIP Green

Re: Netflow for IPSec Tunnel

Yes, once you apply the service-policy to the inside interface where the traffic you want to monitor is ingressing the ASA, you will see the correct source and destination IPs.  Unless you have some other device further into your network that is performing NAT, then you will see the NATed address.

--

Please rate all helpful posts

-- Please remember to rate and select a correct answer
206
Views
0
Helpful
3
Replies