Link to home
Start Free TrialLog in
Avatar of cerminad
cerminad

asked on

Configuring Cisco Netflow

I got a call today.  A machine on my network is performing a port scan on my ISP's customer's server.  They provided me with a NAT'd address for our machine, source port 500, destination port 500, and the customer's destination address.  How can I setup netflow on my cisco 3550, to show my culprit internal address?  I'm guessing I just want to aggregate info for source port 500, dest port 500, and dest IP?

I'm looking for specifics.  I'm a cisco newbie, and the online docs are a little over my head for netflow.
Avatar of Ken Conradie
Ken Conradie
Flag of United States of America image
It looks like a machine in your network is trying to establish an IKE Security Association (SA), which is the first phase in bringing up an IPSec tunnel. Thats pretty strange considering its directed at a machine it shouldnt be. Maybe there is some vulnerability that a worm has been created to exploit this protocol. Either way you should start blocking the traffic from flowing out of your network ASAP while you try to determine the cause. This way you minimize the spread of the worm if it is one.

Then you have a few options- you could kill two birds with one stone and throw it in an acl that blocks this traffic and logs it and then watch the logs. You could even run a sniffer on yor LAN if your switch has a monitor port. You seem to want to get info on netflow in particular. I have not used it, but i am sure someone who has will speak up soon too....

Good luck!
ASKER CERTIFIED SOLUTION
Avatar of RobArdill
RobArdill
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial