ditobot
asked on
How can I use Cisco 2620 Router and Netflow to monitor WAN traffic with a PIX firewall?
I have a Cisco 2620 that I have finally managed to get Netflow working with ManageEngine NetFlow Analyzer. Recently our WAN connection has been a bit eratic and I want to monitor the traffic to see if I have any rogue machines on my network. Currently we have a proprietary box installed by our ISP (Time Warner) which combins 2 full T1's and a fractional. It has a standard LAN which goes into a PIX firewall and from there into my Layer 2 Cisco switches (2950s and 3560s).
I am trying to figure out how to utilize the Cisco 2620 to analyze the traffic entering and leaving the building via the WAN. Currently the 2620 has a T1 CSU/DSU interface card and the standard built in 10/100 port. I am at a loss to discover a way to put this in line to monitor the traffic.
I really like the detail that NetFlow gives me on the port traffic with source and destination IP addresses and would like to figure out a way to utilize it in my setup. I don't know the best way to do this, if I have to buy an expansion card or if there is something better out there to do what I am trying to do.
I am open to suggestions. Thanks in advance.
I am trying to figure out how to utilize the Cisco 2620 to analyze the traffic entering and leaving the building via the WAN. Currently the 2620 has a T1 CSU/DSU interface card and the standard built in 10/100 port. I am at a loss to discover a way to put this in line to monitor the traffic.
I really like the detail that NetFlow gives me on the port traffic with source and destination IP addresses and would like to figure out a way to utilize it in my setup. I don't know the best way to do this, if I have to buy an expansion card or if there is something better out there to do what I am trying to do.
I am open to suggestions. Thanks in advance.
ASKER
I will probably be hitting you up early next week for some config help to do this. I have to order a memory upgrade for the IP PLUS IOS. I only have 32MB with 16MB flash currently and I need 64MB/32MB for that IOS.
I am going to check out Fireplotter. It looks interesting but it might actually be cheaper to upgrade my router's memory and use Netflow. It just depends which interface is more robust in reporting.
Thanks for you help.
I am going to check out Fireplotter. It looks interesting but it might actually be cheaper to upgrade my router's memory and use Netflow. It just depends which interface is more robust in reporting.
Thanks for you help.
Another alternative would be to use ManageEngine's Firewall Analyzer and simply send the PIX's syslog to the firewall analyzer server with informational level logging enabled
Good alternative (especially to Fireplotter).
Nice to cross paths again lrmoore, how's things? Doing well I hope.
Nice to cross paths again lrmoore, how's things? Doing well I hope.
@ JFrederick29
I am doing well, thanks. Staying busy for sure!
I am doing well, thanks. Staying busy for sure!
ASKER
I finally got my router memory upgraded after going through two vendors, the first gave me flash and system memory for a 2600XM. Nice try but wrong voltage and standard of RAM.
Fireplotter was nice, especially since setup was a breeze but the downfall is the reporting. It works well as a real time analyzer but it is more difficult to sort protocols and IP addresses.
ManageEngine's Firewall Analyzer is nice as well but it doesn't seem to be realtime. Maybe I am mistaken but i think the Cisco Firewall writes to a log file and the program reads that at intervals.
Before I move forward using the Cisco 2600 as a hop for all traffic between my business network and the PIX, is there any reason that this configuration could cause problems? As far as I can surmise one extra hop isn't even going to be noticable considering the various switches in wire closets in our building, let alone the number of hops it is going to encounter over the internet.
Below is my configuration on my Cisco 2600 Router, configured and working with ManageEngine's Net Flow Analyzer and running IOS 12.3.26 IP Plus and just below that I am including the line on my Cisco 3550, which is technically handling all of the routing inside of the office, that tells all non-intranet traffic to go to my PIX.
Current configuration : 981 bytes
!
version 12.3
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco2620_NetFlow
!
boot-start-marker
boot-end-marker
!
enable password 7 xxxxxxxxxxxxxxxx
!
clock timezone Arizona -7
no aaa new-model
ip subnet-zero
ip flow-cache timeout active 1
ip cef
!
!
no ip domain lookup
!
!
!
!
!
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.1.19.251 255.255.255.0
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
no ip http server
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 10.1.19.20 9996
ip classless
!
!
snmp-server community public RO
snmp-server ifindex persist
snmp-server contact Randy Stowe
!
line con 0
exec-timeout 0 0
password 7 0234060D4A160739
login
line aux 0
line vty 0 4
password 7 1520095A453A233C
login
!
!
end
Cisco2620_NetFlow#
--------------------------
phorad-3550-mdf1#
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.19.76
ip route 10.1.1.0 255.255.255.0 10.1.19.251
ip http server
Fireplotter was nice, especially since setup was a breeze but the downfall is the reporting. It works well as a real time analyzer but it is more difficult to sort protocols and IP addresses.
ManageEngine's Firewall Analyzer is nice as well but it doesn't seem to be realtime. Maybe I am mistaken but i think the Cisco Firewall writes to a log file and the program reads that at intervals.
Before I move forward using the Cisco 2600 as a hop for all traffic between my business network and the PIX, is there any reason that this configuration could cause problems? As far as I can surmise one extra hop isn't even going to be noticable considering the various switches in wire closets in our building, let alone the number of hops it is going to encounter over the internet.
Below is my configuration on my Cisco 2600 Router, configured and working with ManageEngine's Net Flow Analyzer and running IOS 12.3.26 IP Plus and just below that I am including the line on my Cisco 3550, which is technically handling all of the routing inside of the office, that tells all non-intranet traffic to go to my PIX.
Current configuration : 981 bytes
!
version 12.3
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco2620_NetFlow
!
boot-start-marker
boot-end-marker
!
enable password 7 xxxxxxxxxxxxxxxx
!
clock timezone Arizona -7
no aaa new-model
ip subnet-zero
ip flow-cache timeout active 1
ip cef
!
!
no ip domain lookup
!
!
!
!
!
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.1.19.251 255.255.255.0
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
no ip http server
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 10.1.19.20 9996
ip classless
!
!
snmp-server community public RO
snmp-server ifindex persist
snmp-server contact Randy Stowe
!
line con 0
exec-timeout 0 0
password 7 0234060D4A160739
login
line aux 0
line vty 0 4
password 7 1520095A453A233C
login
!
!
end
Cisco2620_NetFlow#
--------------------------
phorad-3550-mdf1#
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.19.76
ip route 10.1.1.0 255.255.255.0 10.1.19.251
ip http server
ASKER
Whoops, I forgot to ask the actual question, base on the above configuration, what do I need to configure on the 2600 to pass traffic from the network to the PIX.
Thanks in advance
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Add the route-cache flow command to int fa0/0.55 on the router
<8-}
<8-}
Yeah :-)
Thanks lrmoore.
Thanks lrmoore.
ASKER
Thanks for the input, I got this to work. I had some problems getting inside traffic to go through my PIX. I made a few changes and I'm not sure which made it work but I'm pretty sure that I needed to add the line 'switchport access vlan 55' to the port that was going to my PIX on the 3550.
There have only been two negative side effects. My VPN no longer works on the PIX. As near as I can tell the PIX isn't speaking with my Domain Controller for RADIUS authentication. My DC is 10.1.19.2 and the PIX is on 10.1.254.3.
The second problem, albeit minor, is that my PIX now scrolls all the way to the end with no pauses when I use the 'write term' command. It happened when I enabled SSH for Fireplotter I think.
I am going to look into the ManageEngine Firewall Analyzer again. There are a lot of features that I missed the first time around. Fireplotter still has a leg up with the SSH connection because it is truly real time. Either way, price will probably be a factor, especially since Firewall Analyzer requires an annual subscription. Do either of you have any experience with Spiceworks?
There have only been two negative side effects. My VPN no longer works on the PIX. As near as I can tell the PIX isn't speaking with my Domain Controller for RADIUS authentication. My DC is 10.1.19.2 and the PIX is on 10.1.254.3.
The second problem, albeit minor, is that my PIX now scrolls all the way to the end with no pauses when I use the 'write term' command. It happened when I enabled SSH for Fireplotter I think.
I am going to look into the ManageEngine Firewall Analyzer again. There are a lot of features that I missed the first time around. Fireplotter still has a leg up with the SSH connection because it is truly real time. Either way, price will probably be a factor, especially since Firewall Analyzer requires an annual subscription. Do either of you have any experience with Spiceworks?
Yeah, you needed to set the PIX to VLAN55 which was part of what I stated above.
I assume you add the route since Internet wouldn't be working also.
I'm betting the problem with RADIUS auth is that the IP of the PIX changed so you need to update the client definition for the PIX in IAS (RADIUS). Change the IP to the new inside IP of the PIX in IAS.
To fix the PIX scrolling issue, one of these will work depending on which version your are running:
pager
or
term pager 24
Never used Spiceworks myself...
I assume you add the route since Internet wouldn't be working also.
I'm betting the problem with RADIUS auth is that the IP of the PIX changed so you need to update the client definition for the PIX in IAS (RADIUS). Change the IP to the new inside IP of the PIX in IAS.
To fix the PIX scrolling issue, one of these will work depending on which version your are running:
pager
or
term pager 24
Never used Spiceworks myself...
ASKER
Originally I set my Cisco 2600 router to switchport access vlan 55 instead of the PIX. Everything is working now.
Thanks for your help
Thanks for your help
Alternatively, you could look at using Fireplotter to collect the connections on the Firewall and provides a view of what is traversing the firewall. This is obviously less complex.
http://www.fireplotter.com/