09-18-2013 02:53 AM - edited 03-04-2019 09:04 PM
Hi,
i have a 2 cisco routers connected over vpn, Site A (the office) and Site B (remote site)
the sites are able to connect to eachother but the router on the remote site cannot ping anything in the office. even though the computers in Site B can connect to computers in Site A.
I want to setup a netflow analyser of the link in Site B but the netflow server is in Site A and if the router cannot access this server i cant do this.
attaching the config of site B (site A is an ASA 5510 with standard VPN setups) - also, i did not setup the router on Site B (so its a bit convoluted)
Current configuration : 7652 bytes
!
! Last configuration change at 12:02:01 KSA Wed Sep 18 2013 by admin
! NVRAM config last updated at 18:53:07 KSA Fri Sep 13 2013 by admin
! NVRAM config last updated at 18:53:07 KSA Fri Sep 13 2013 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SA-RDH-RTR1-IP1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone KSA 3 0
!
ip cef
!
ip dhcp excluded-address 10.200.11.1 10.200.11.20
ip dhcp excluded-address 10.200.12.1 10.200.12.20
ip dhcp excluded-address 10.200.13.1 10.200.13.20
!
ip dhcp pool USERS
network 10.200.11.0 255.255.255.0
default-router 10.200.11.1
dns-server 192.168.2.24 192.168.2.34 77.240.80.33 77.240.80.34
!
ip dhcp pool Wireless-Employee
network 10.200.12.0 255.255.255.0
default-router 10.200.12.1
dns-server 192.168.2.24 192.168.2.34 77.240.80.33 77.240.80.34
!
ip dhcp pool Wireless-Guest
network 10.200.13.0 255.255.255.0
default-router 10.200.13.1
dns-server 192.168.2.24 192.168.2.34 77.240.80.33 77.240.80.34
!
!
!
ip flow-cache timeout active 1
ip domain name yourdomain.com
ip name-server 7x.x.x.x
ip name-server 7x.x.x.x
ip name-server 4.2.2.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-270125153
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-270125153
revocation-check none
rsakeypair TP-self-signed-270125153
!
!
crypto pki certificate chain TP-self-signed-270125153
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373031 32353135 33301E17 0D313330 31323230 38323835
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3237 30313235
31353330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
166E06D2 709F1E7E A29B4A48 A57242B8 EF5CC61B FC663380 F4005BDF AD38C530
D390C724 775CA99C 9FDC0AFE B0
quit
license udi pid CISCO1921/K9 sn FCZ1704C1NC
!
!
username admin privilege 15 password 7 072571426B5C58
username bmbadmin privilege 15 password 7 073F015F5D1E491713
!
redundancy
!
!
!
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 30
encr 3des
authentication pre-share
crypto isakmp key S@ address 8x.x.x.x
!
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map BMB 1 ipsec-isakmp
description Tunnel to8
set peer 8x.x.x.x
set security-association lifetime seconds 28800
set transform-set VPN
match address 102
reverse-route
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description **INSIDE**
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
description **Interface For Mgmt Vlan**
encapsulation dot1Q 1 native
ip address 10.200.9.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.2
description **Interface For Servers Vlan**
encapsulation dot1Q 2
ip address 10.200.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.3
description **Interface For Users Vlan**
encapsulation dot1Q 3
ip address 10.200.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.4
description **Interface For Wireless-Employee Vlan**
encapsulation dot1Q 4
ip address 10.200.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.5
description **Interface For Wireless-Guest Vlan**
encapsulation dot1Q 5
ip address 10.200.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.6
description **Interface For Access Control Vlan**
encapsulation dot1Q 6
ip address 10.200.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description **OUTSIDE**
ip address 7x.x.x. 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map BMB
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 192.168.4.13 9996
!
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 77.240.82.177
!
access-list 1 permit any
access-list 101 deny ip 10.200.9.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 101 deny ip 10.200.10.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 101 deny ip 10.200.11.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 101 deny ip 10.200.12.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 101 deny ip 10.200.9.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.13.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.200.14.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip any any
access-list 102 permit ip 10.200.9.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 10.200.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 10.200.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 10.200.12.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 10.200.9.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 102 permit ip 10.200.10.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 102 permit ip 10.200.11.0 0.0.0.255 10.2.10.0 0.0.0.255
access-list 102 permit ip 10.200.12.0 0.0.0.255 10.2.10.0 0.0.0.255
!
!
!
control-plane
!
!
banner login ^C
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0.1
ntp master 7
!
end
09-18-2013 04:03 AM
Hi,
Does it work if you change the netflow source to g0/0.1?
HTH,
Lei Tian
Sent from Cisco Technical Support iPhone App
09-18-2013 07:05 AM
tried that but the interface/router is still not showing up iin netflow
09-18-2013 07:15 AM
Hi,
I don't see ip flow enabled on any interface of the router with ip flow ingress or ip flow egress commands
Regards
Alain
Don't forget to rate helpful posts.
09-18-2013 07:23 AM
Hi,
looking at other routers and they do indeed have ip flow egress and ip flow ingress enabled on interfaces.
should i do both on any interfaces i want monitored?
09-18-2013 07:37 AM
Hi,
ip flow ingress: monitors inbound traffic
ip flow egress: monitors outbound traffic
It all depends on what you want to monitor
Regards
Alain
Don't forget to rate helpful posts.
09-18-2013 08:09 AM
tried adding those lines in but interfaces /device still not showing on netflow.
just to re-iterate, when logged onto router i cannot ping the netflow server (but server can ping router)
09-18-2013 09:35 AM
Can you source a ping from gig0/0.1 and gig0/1 and let us know the results?
09-19-2013 01:31 AM
hi,
i can succesfully ping from
interface GigabitEthernet0/0.1 and
interface GigabitEthernet0/0.2
but not from
interface GigabitEthernet0/1
09-19-2013 07:21 AM
Hi,
that's normal behavior as the traffic from this interface is not encrypted so don't go inside your VPN and the destination is a private network which is non routeable on the internet.
if you can ping from an inside subinterface then you should be able to send your netflow records sourced from one of those.
no ip flow-export source GigabitEthernet0/1
ip flow-export source GigabitEthernet0/0.1
Regards
Alain
Don't forget to rate helpful posts.
09-20-2013 02:07 AM
Hi
i made that change, no sign of router showing up in netflow yet.
i will check again later
09-23-2013 02:38 AM
still no sign of router in netflow
09-23-2013 05:11 AM
The original problem was a VPN issue and as Alain explains traffic sourced from the router outside interface is not encrypted and not carried through the tunnel. Sourcing the NetFlow from interface Gig0/0.1, .2, .3, or .4 should carry the traffic through the tunnel. If you are sourcing the NetFlow from one of these interfaces then the problem is no longer a VPN issue but is more likely a NetFlow issue.
Can you verify that the router at site B is correctly configured for NetFlow (especially has NetFlow configured on some interfaces, and specifies correct NetFlow format records, and correctly identifies the NetFlow collector at site A and the correct port number). Also some NetFlow collectors need to be configured with information about the remote router sending NetFlow traffic. Can you check and see if the collector at site A needs this, and if so if it has been done?
HTH
Rick
09-24-2013 02:10 AM
netflow is working for other routers, so i dont think that the collector is the problem
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: