01-06-2007 05:34 PM - edited 03-03-2019 03:16 PM
I just installed Netflow to monitor our Internet traffic rate. I have enabled snmp on our Cisco PIX515. The netflow displays ?No devices have sent NetFlow exports to the software yet?. I am not sure the problem is PIX configuration or Netflow settings. How do I test the snmp settings in PIX?
access-list outside_in permit icmp any any unreachable
access-list outside_in permit tcp any host 192.168.11.253 eq 3389
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit tcp any host 192.168.10.10 eq 3389
access-list 192_splitTunnelAcl permit ip LAN 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 VPN 255.255.255
.240
access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 any
access-list outside_cryptomap_dyn_20 permit ip any VPN 255.255.255.240
access-list outside_cryptomap_20 permit ip LAN 255.255.255.0 any
pager lines 24
logging on
logging trap errors
logging history informational
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.254 255.255.255.0
ip address inside 192.168.11.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.21.1-192.168.21.9
pdm location 192.168.11.253 255.255.255.255 inside
pdm location VPN 255.255.255.0 inside
pdm location LAN 255.255.255.0 outside
pdm location VPN 255.255.255.0 outside
pdm location LAN 255.255.255.255 inside
pdm location RDC 255.255.255.255 inside
pdm location 192.168.11.2 255.255.255.255 inside
pdm location 192.168.10.104 255.255.255.255 outside
pdm location 192.168.11.254 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 2 192.168.10.250-192.168.10.253
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.11.253 192.168.11.253 netmask 255.255.255.255 0
0
static (inside,outside) 192.168.10.10 RDC netmask 255.255.255.255 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http LAN 255.255.255.255 inside
http LAN 255.255.255.0 inside
snmp-server host outside 192.168.11.254
snmp-server host inside 192.168.11.254
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
tftp-server outside 192.168.10.115 c:\
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 206.81.53.106
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 206.x.x.106 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup 192 address-pool VPN
vpngroup 192 dns-server 4.2.2.1
vpngroup 192 split-tunnel 192_splitTunnelAcl
vpngroup 192 idle-time 1800
vpngroup 192 password ********
01-06-2007 06:33 PM
netflow needs to be configured on a router not on a pix. you can smmp poll the pix for traffic with something like mrtg, solarwinds, etc.
01-08-2007 02:44 PM
Thanks. Will them and post back.
01-09-2007 02:11 PM
I download the MRTG. Whick port does PIX SNMP use?
01-10-2007 01:12 AM
Try downloading Manage Engine Opmanager and you can monitor upto 20 devices and its free version.
OR
Also you can download PRTG and monitor the traffic.
I hope this might help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide