• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1894
  • Last Modified:

How can I use Cisco 2620 Router and Netflow to monitor WAN traffic with a PIX firewall?

I have a Cisco 2620 that I have finally managed to get Netflow working with ManageEngine NetFlow Analyzer. Recently our WAN connection has been a bit eratic and I want to monitor the traffic to see if I have any rogue machines on my network. Currently we have a proprietary box installed by our ISP (Time Warner) which combins 2 full T1's and a fractional. It has a standard LAN which goes into a PIX firewall and from there into my Layer 2 Cisco switches (2950s and 3560s).

I am trying to figure out how to utilize the Cisco 2620 to analyze the traffic entering and leaving the building via the WAN. Currently the 2620 has a T1 CSU/DSU interface card and the standard built in 10/100 port. I am at a loss to discover a way to put this in line to monitor the traffic.

I really like the detail that NetFlow gives me on the port traffic with source and destination IP addresses and would like to figure out a way to utilize it in my setup. I don't know the best way to do this, if I have to buy an expansion card or if there is something better out there to do what I am trying to do.

I am open to suggestions. Thanks in advance.
0
ditobot
Asked:
ditobot
  • 5
  • 5
  • 3
1 Solution
 
JFrederick29Commented:
You can use the 2620 in a one armed fashion using trunking (you will need to be running the IP PLUS image at a minimum on the router).  You can trunk the 2620 to one of your LAN switches and use two virtual interfaces.  One interface will become the LAN default gateway (instead of the PIX) and the other will connect to the PIX inside.  Routing would have to be setup but you could then collect Netflow from the interface connected to the PIX inside.

Alternatively, you could look at using Fireplotter to collect the connections on the Firewall and provides a view of what is traversing the firewall.  This is obviously less complex.

http://www.fireplotter.com/

0
 
ditobotAuthor Commented:
I will probably be hitting you up early next week for some config help to do this. I have to order a memory upgrade for the IP PLUS IOS. I only have 32MB with 16MB flash currently and I need 64MB/32MB for that IOS.

I am going to check out Fireplotter. It looks interesting but it might actually be cheaper to upgrade my router's memory and use Netflow. It just depends which interface is more robust in reporting.

Thanks for you help.
0
 
lrmooreCommented:
Another alternative would be to use ManageEngine's Firewall Analyzer and simply send the PIX's syslog to the firewall analyzer server with informational level logging enabled
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
JFrederick29Commented:
Good alternative (especially to Fireplotter).

Nice to cross paths again lrmoore, how's things?  Doing well I hope.
0
 
lrmooreCommented:
@ JFrederick29
I am doing well, thanks. Staying busy for sure!
0
 
ditobotAuthor Commented:
I finally got my router memory upgraded after going through two vendors, the first gave me flash and system memory for a 2600XM. Nice try but wrong voltage and standard of RAM.

Fireplotter was nice, especially since setup was a breeze but the downfall is the reporting. It works well as a real time analyzer but it is more difficult to sort protocols and IP addresses.

ManageEngine's Firewall Analyzer is nice as well but it doesn't seem to be realtime. Maybe I am mistaken but i think the Cisco Firewall writes to a log file and the program reads that at intervals.

Before I move forward using the Cisco 2600 as a hop for all traffic between my business network and the PIX, is there any reason that this configuration could cause problems? As far as I can surmise one extra hop isn't even going to be noticable considering the various switches in wire closets in our building, let alone the number of hops it is going to encounter over the internet.

Below is my configuration on my Cisco 2600 Router, configured and working with ManageEngine's Net Flow Analyzer and running IOS 12.3.26 IP Plus and just below that I am including the line on my Cisco 3550, which is technically handling all of the routing inside of the office, that tells all non-intranet traffic to go to my PIX.

Current configuration : 981 bytes
!
version 12.3
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco2620_NetFlow
!
boot-start-marker
boot-end-marker
!
enable password 7 xxxxxxxxxxxxxxxx
!
clock timezone Arizona -7
no aaa new-model
ip subnet-zero
ip flow-cache timeout active 1
ip cef
!
!
no ip domain lookup
!
!
!
!
!
!
interface FastEthernet0/0
 description connected to EthernetLAN
 ip address 10.1.19.251 255.255.255.0
 ip route-cache flow
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
!
router rip
 version 2
 network 10.0.0.0
 no auto-summary
!
no ip http server
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 10.1.19.20 9996
ip classless
!
!
snmp-server community public RO
snmp-server ifindex persist
snmp-server contact Randy Stowe
!
line con 0
 exec-timeout 0 0
 password 7 0234060D4A160739
 login
line aux 0
line vty 0 4
 password 7 1520095A453A233C
 login
!
!
end

Cisco2620_NetFlow#

-----------------------------------------------------------------------------------------------------------
phorad-3550-mdf1#

ip classless
ip route 0.0.0.0 0.0.0.0 10.1.19.76
ip route 10.1.1.0 255.255.255.0 10.1.19.251
ip http server








0
 
ditobotAuthor Commented:
Whoops, I forgot to ask the actual question, base on the above configuration, what do I need to configure on the 2600 to pass traffic from the network to the PIX.

Thanks in advance
0
 
JFrederick29Commented:
On the 3550 (assuming you are using VLAN1).

conf t
vlan 55

int fa0/24   <--free port to connect to 2600 f0/0
switchport mode trunk
no shut

int fa0/x   <--PIX inside interface connection to the 3550
switchport access vlan 55

no ip route 0.0.0.0 0.0.0.0 10.1.19.76
ip route 0.0.0.0 0.0.0.0 10.1.19.x    <--10.1.19.x is the IP assigned to the 2600 LAN interface


2600:

int fa0/0
ip add 10.1.19.x 255.255.255.0
no shut

int fa0/0.55
encap dot1q 55
ip add 10.1.254.2 255.255.255.0
no shut

ip route 0.0.0.0 0.0.0.0 10.1.254.1   <--10.1.254.1 will be the new inside IP on the PIX


PIX:

ip address inside 10.1.254.1 255.255.255.0
route inside 10.0.0.0 255.0.0.0 10.1.254.2


If I missed something, its due to lack of coffee :)
0
 
lrmooreCommented:
Add the route-cache flow command to int fa0/0.55 on the router
<8-}
0
 
JFrederick29Commented:
Yeah :-)

Thanks lrmoore.
0
 
ditobotAuthor Commented:
Thanks for the input, I got this to work. I had some problems getting inside traffic to go through my PIX. I made a few changes and I'm not sure which made it work but I'm pretty sure that I needed to add the line 'switchport access vlan 55' to the port that was going to my PIX on the 3550.

There have only been two negative side effects. My VPN no longer works on the PIX. As near as I can tell the PIX isn't speaking with my Domain Controller for RADIUS authentication. My DC is 10.1.19.2 and the PIX is on 10.1.254.3.

The second problem, albeit minor, is that my PIX now scrolls all the way to the end with no pauses when I use the 'write term' command. It happened when I enabled SSH for Fireplotter I think.

I am going to look into the ManageEngine Firewall Analyzer again. There are a lot of features that I missed the first time around. Fireplotter still has a leg up with the SSH connection because it is truly real time. Either way, price will probably be a factor, especially since Firewall Analyzer requires an annual subscription. Do either of you have any experience with Spiceworks?
0
 
JFrederick29Commented:
Yeah, you needed to set the PIX to VLAN55 which was part of what I stated above.

I assume you add the route since Internet wouldn't be working also.

I'm betting the problem with RADIUS auth is that the IP of the PIX changed so you need to update the client definition for the PIX in IAS (RADIUS).  Change the IP to the new inside IP of the PIX in IAS.

To fix the PIX scrolling issue, one of these will work depending on which version your are running:

pager

or

term pager 24

Never used Spiceworks myself...
0
 
ditobotAuthor Commented:
Originally I set my Cisco 2600 router to switchport access vlan 55 instead of the PIX. Everything is working now.

Thanks for your help
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now