I have an external router set up for Netflow with a destination ip address of an internal host which has the netflow Analyzer software on it. I have mirrored the configuration on the inside router which is talking just fine with the Netflow server. I am doing PAT on the outside interface of the firewall with ip address of x.x.x.131, and the outside interface has an ip address of x.x.x.130, and the interface on the router connected to the the outside interface of the firewall has an IP address of x.x.x.129. I have logging set to level 7 and am not seeing the udp port 9996 (netflow information) coming into the firewall. But when i do a
SECRTREXT01# show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to internalsubnet.10.250 (9996)
Exporting using source interface FastEthernet0/1
Version 5 flow records
9780 flows exported in 360 udp datagrams
0 flows failed due to lack of export packet
359 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
The interface connecting to the PIX as you see above is F0/1. I had put an access-list on this interface outbound allowing anything and logging but nothing showed for port 9996? insidehost10.250 is being patted to a x.x.x.131. Could this be a routing problem? I have a default route (gateway of last resort) pointing to the upstream LEC router, which is matched only after the destination does not match anything in the x.x.x.128-160 range (/27).
Your netflow output is saying it exporting flows to "internalsubnet.10.250". But you need to tell your netflow to export flows to your x.x.x.131 address as this is the address the netflow router knows how to get to.
One other point. When you say you have patted the internal server do you mean you have entry on your firewall as such
Ok thanks a lot... So if i point the netflow to .131 then it will now go in the right direction and hit my firewall, but from there how will it get to the Netflow server without me having to translate 10.250? I am thinking i should set up a static translation to a different global routable IP x.x.x.136 for the Netflow server and point the flows to that ip address. Right now everything going out to the internet is translated as a .131+port so using a different .128/27 ip i am sure will do the trick.. What do you think?
I think what you suggest is the best way to achieve what you are trying to do. Use a separate public IP address for the Netflow server and then set up a static translation + the acl rules to allow the netflow traffic through from the router.
Thanks a lot. I know this will work definitely. I just have to wait for the approval. I know this is changing directions but do you have any suggestions on how i would engineer an architecture where i will have 2 failover pais? They will be PIX 515E's. The top firewalls will be hosting our DMZs and the outside internet of course,. and the bottom pair will be servicing our trusted and restricted segments. The segment design is good but aside from the failover cables i am thinking that the outside interfaces of the bottom firewalls will link directly to the inside interfaces of the top firewalls. However i am thinking that if the bottom or top fails over,.. how will it have to be designed so that the failover pix will communicate with the other primary firewall? I have it designed such that i have an interface on the bottom primary to the top secondary and vice versa. each interface is in a different network of course,.. but how will i do the routing? Since i can only point a default route to 1 IP address. I plan on using stateful failover cables for both UR and FO firewall pairs,.. but any suggestions on how to set up the routing so that the top or bottom of the "sandwich" can still talk to the other half once a failover on the top or bottom occurs? Thanks in advance.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...