Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Monitoring NAT using netflow 9

Hi all,

I have a question regarding netflow and NAT. I have read some documentation (on ASR1000) regarding monitoring NAT process on Cisco ASR1000 that can be done using netflow version 9 (the term was called netflow event logging a.k.a NEL). The problem is, I have not found the netflow collector that can do that. I have queried several software such as manage engine "Netflow Analyzer" and Lancope, but they said their software can not do that. Does anyone has experience on this? Can anyone refer me the software that can be used to do this please.

Regards,

Even

11 REPLIES
New Member

Re: Monitoring NAT using netflow 9

Hi All,

anybody knows? I have tried to read several documents. It seems that the capability that cause ASR1000 to be able to send NAT translation process using netflow is called Netflow Event Logging. I'm just wondering whether this feature is pecific to ASR or not. Do you guys have anything in mind? Please share.

Regards,

Even

New Member

Re: Monitoring NAT using netflow 9

Hello,

My guess is that Scrutinizer from plixer.com can display the NEL data from the ASR 1000 using Flow View:

(above taken with Scrutinizer v7.6).  Most NetFlow Analyzers need to see octetDeltaCount or something similiar in a flow else they drop it.  Scrutinizer works a bit differently.

Once you can view the data, do you want to alarm for something? Would it be possible to get a wireshark capture from you?

Jake

New Member

Re: Monitoring NAT using netflow 9

One of best choise analysing L3/4 performance using Netflow/Sflow/IPFix is Crannog Netflow Tracker in my opinion:)

http://www.flukenetworks.com/fnet/en-us/products/NetFlow+Tracker/Specifications.htm

With Open Source nfsen/nfdump should be Type-9 able and if you wait nTop will it be in the future, v3.4 is Beta currently.

Steffen

Re: Monitoring NAT using netflow 9

Can anyone confirm is ASR 1006 Netflow Event Logging is the same as Cisco ASA's NSEL?   Would it be safe to assume that a netflow collector that supports NSEL would also be able to support ASR 1006's NEL?

New Member

Re: Monitoring NAT using netflow 9

Hello David,

If you send the folks at plixer.com a packet capture of the netflow coming from your ASR 1006 we can confirm that the Netflow Event Logging is the same as Cisco ASA's NSEL. 

Jake

Monitoring NAT using netflow 9

I will test it myself with scrutinizer and nfdump with nsel extensions.   I'll post my findings

Bronze

Re: Monitoring NAT using netflow 9

Hi David,

Though I have not seen the difference personally, as far as I have read, the NetFlow event logging from ASR is specifically for NAT events. It lets users export NAT syslogs via NetFlow v9. The events are translation created or deleted in NAT entry and translation could not be created. Just one command is used: ip nat log translations flow-export v9 udp destination 1.1.1.1 9996

The NSEL from Cisco ASA can help in complete traffic analytics by giving information on each IP traffic conversation and is related to a flow creation and tear down and not only NAT. The ASA NSEL can also show pre and post NAT port and IP Address of a conversation if NAT applies to that conversation,

I think a flow analyzer tool should be designed to handle the NetFlow event logging from ASR as there are additional field id's involved in this type of NetFlow. I believe the Cisco NetFlow Collector6 supports the NetFlow event logging from ASR.

Regards,

Don Thomas Jacob

www.netflowanalyzer.com

NOTE: Please rate posts and close questions if you have got your answer.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.

Re: Monitoring NAT using netflow 9

Through my tests with nfdump-NSEL I found it did not work simply because the ASR NEL
is a different flow template with different type fields.

/* ASR NEL flow template */
templateId=259: id=259, fields=11     field id=8 (ipv4 source address), offset=0, len=4     field id=225 (natInsideGlobalAddress), offset=4, len=4     field id=12 (ipv4 destination address), offset=8, len=4     field id=226 (natOutsideGlobalAddress), offset=12, len=4     field id=7 (transport source-port), offset=16, len=2     field id=227 (postNAPTSourceTransportPort), offset=18, len=2     field id=11 (transport destination-port), offset=20, len=2     field id=228 (postNAPTDestinationTransportPort), offset=22, len=2     field id=234 (ingressVRFID), offset=24, len=4     field id=4 (ip protocol), offset=28, len=1     field id=230 (natEvent), offset=29, len=1

looking at the nfdump NSEL struct and array, it does not include some of the NEL fields.

/* nfdump netflow_v9.c NSEL struct */

static struct nsel_element_info_s {

        uint16_t        min;

        uint16_t        max;

} nsel_element_info[18] = {

        // nsel common

        { 1, 1 },       //  0 - FW_EVENT

        { 2, 2 },       //  1 - FW_EXT_EVENT

        { 8, 8 },       //  2 - EVENT_TIME_MSEC

        { 4, 4 },       //  3 - FLOW_BYTES

        { 4, 4 },       //  4 - NF_CONN_ID

        { 1, 1 },       //  5 - NF_ICMP_TYPE_V4

        { 1, 1 },       //  6 - NF_ICMP_CODE_V4

        { 1, 1 },       //  7 - NF_ICMP_TYPE_6

        { 1, 1 },       //  8 - NF_ICMP_CODE_6

        { 12, 12 }, //  9 - INGRESS_ACL_ID

        { 12, 12 }, //  10 - EGRESS_ACL_ID

        { 4, 4 },       //  11 - XLATE_SRC_ADDR_4

        { 4, 4 },       //  12 - XLATE_DEST_ADDR_4

        { 2, 2 },       //  13 - XLATE_SRC_PORT

        { 2, 2 },       //  14 - XLATE_DST_PORT

        { 20, 20 }, //  15 - USERNAME

        { 65, 65 }, //  16 - USERNAME_MAX

        { 0, 0 },       //  17 - empty

};

There is also a Cisco document aimed at collector developers to implement NSEL support, it does not mention some of the type fields in the NEL flow template.

http://www.cisco.com/en/US/docs/security/asa/asa81/netflow/netflow.html

New Member

Re: Monitoring NAT using netflow 9

If you send the folks at plixer a packet capture and tell them what reports you want, they can build them for you.  We have a release coming up.

New Member

Monitoring NAT using netflow 9

Hi David, do you know if NFdump is able now to read NEL messages properly?

New Member

Monitoring NAT using netflow 9

Hello, 

We added several NAT reports in our latest release of Scrutinizer.  It was tested on the ASR and Palo Alto Networks.  Contact us with any questions.

6907
Views
5
Helpful
11
Replies
CreatePlease to create content