Solved

Help configuring netflow

Posted on 2014-11-20
39
143 Views
Last Modified: 2014-12-07
I have a router that is located at an external site. I would like to permit the traffic from that routers interface to and through my firewall to the machine I have the netflow collector installed on. I’m using port 2055 I am getting SNMP packets when I check with Wireshark but don’t see the cflow packets at all. I know I’m probably missing ACL’s access rules and NAT. Can anyone explain and or provide config examples that will help me get the traffic though? I also want to say that there is a L2L tunnel form that site to me. Maybe we could get traffic through the tunnel? I don’t want to create unnecessary traffic and really mess with active tunnels if I don’t have to.  The asa is a 5520 Version 8.2

ROUTER ------- FIREWALL -------- PC
192.168.X.X          XXFIREWALLIP        10.153.X.X
0
Comment
Question by:Shark Attack
  • 22
  • 17
39 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457354
does your outside access list permit incoming udp port 2055 traffic?

what is your netflow configuration on the router?
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457449
ip flow-export source fastethernet0/0
ip flow-export source version 5
ip flow-export destination (ip of the outside int of firewall

Interface f0/0
ip flow egress
ip flow ingress
ip route-cache flow


There is so many ACL's on that firewall that when each time i go though it I feel like quitting my job on the spot. So at this point i dont know whats on it. Im  new here and trying to figure all this out.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457459
if your destination is the outside IP of the firewall, do you have a NAT statement port forwarding 2055 from the outside IP to the correct inside IP?

sh run nat | i 2055

(leave the space on either side of the pipe)
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457472
it gives me nothing out of that command.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457476
should I have the destination as the PC im running the collector as ?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457483
yes.  you want to port forward udp 2055 from the outside IP to the inside collector IP.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457490
done. changed. did not help though. i am getting flows from the internal netflow but not external (from that router)
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457516
have you updated your outside access list to allow udp 2055 from the router source IP to the destination IP?  

the destination IP in 8.2 or earlier will be the public IP.

the destination IP in 8.3 or later will be the private IP.

       packet-tracer input outside udp ROUTER_IP 12345 DESTINATION_IP 2055 detail

what is the output?
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457541
I get an ACL drop from  packet-tracer in outsideds3 udp 1router ip 0 public ip of firewall 2055 detail
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457545
** packet-tracer in outsideds3 udp "router ip" 0 "public ip" of firewall 2055 detail
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457605
how can I check what the ACL's are for the outside interface?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457731
sh run | i group

this will list access-groups applied.  you are looking for one applied to the outside interface -- it will be referenced using the nameif configured.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457743
ok, nothing referencing the port 2055
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457751
can you post your outside access list?  you can change the first two octets of the public IPs to X.X (unless you are using object groups then you should be okay).
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457770
show run | i group
access-group 190 in interface outside

access-list 190 line 1 extended permit udp any any (hitcnt=0) 0x27e08eec
access-list 190 line 2 extended permit ip any any (hitcnt=0) 0xc824ef44
access-list 190 line 3 extended permit icmp any any (hitcnt=0) 0x710e0adf
access-list 190 line 4 extended permit udp any host x.x.21.171 eq 1812 (hitcnt=0) 0xd9d81768
access-list 190 line 5 extended permit udp any host x.x.21.171 eq 1813 (hitcnt=0) 0x423339ff
access-list 190 line 6 extended permit tcp any host x.x.21.171 eq 1813 (hitcnt=0) 0xc0db528a
access-list 190 line 7 extended permit udp any host x.x.21.170 eq syslog (hitcnt=0) 0xcb33f679
access-list 190 line 8 extended permit udp any host x.x.21.170 eq snmp (hitcnt=0) 0x3a70fc2c
access-list 190 line 9 extended permit udp any host x.x.21.170 eq snmptrap (hitcnt=0) 0x0b087efd
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457788
when I use wireshark, i can see I snmp flows from the router but not netflows (cflows) on port 2055
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457826
access-list 190 extended permit udp host ROUTER_IP any eq 2055
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457852
still no cflow packets coming though just snmp. Maybe there is an issue on the router. When I go to the collector and look at the interface for netflows, it says no netflow configured on the interface but that might be becouse cflows are not coming through
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457862
on the router:

sh ip flow export
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 1

Author Comment

by:Shark Attack
ID: 40457870
Router#show ip flo ex
Flow export v5 is enabled for main cache
  Exporting flows to x.x.0.223 (2055) <---- my box running collector
  Exporting using source interface FastEthernet0/0
  Version 5 flow records
  1966264 flows exported in 82127 udp datagrams
  0 flows failed due to lack of export packet
  2 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457874
please re-run packet-tracer as indicated above.  with the NAT and access list updates, we should see something different.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457901
says acl drop.
packet-tracer input outsideds3 udp x.x.202.2 0 x.x.x.x 2055
x.x.202.2 = router
x,x,x.x = public ip of firewall

my outside int. is outsideds3

show run | i group
access-group netflow in interface outsideds3

show access-list netflow
access-list netflow line 1 extended permit udp host x.x.202.2 any eq 2055 (hitcnt=1) 0x51b235a2
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457933
Up above you listed access list 190 and the outside interface as "outside".

Would you clarify both?
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40457939
yes, sorry, outside interface is shutdown. not in use. Sorry about that. I'm working on few things and missed that.  acl 190 pertains to nameif outside which is not active. my outside interface is outsideds3 i created new acl "netflow" and applied to outsideds3 just like at my last posting.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457986
and you have no current access list tied to outsideds3?  (and, i'll have to step away for a half hour but will pick this up on my return).
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40458001
No problem. I didn't have any based on the show run group. I created one called netflow
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40458134
If you would do a packet-tracer (as above with detail), X.X the first two octets of any public IP and post the detail, that may help.

Also, do you have an access-list on the inside interface?
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40458146
packet-tracer in outsideds3 udp x.x.202.2 0 8.8.8.8 2055

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outsideds3

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group netflow in interface outsideds3
access-list netflow extended permit udp host x.x.202.2 any eq 2055
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: UDP-UNIDIRECTIONAL
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outsideds3) 4 access-list REMOTE-VPN-TUNNEL-PAT
nat-control
  match ip outsideds3 x.x.202.0 255.255.255.192 outside x.x.0.0 255.255.255.0
    dynamic translation to pool 4 (x.x.0.5)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 302250109, packet dispatched to next module

Result:
input-interface: outsideds3
input-status: up
input-line-status: up
output-interface: outsideds3
output-status: up
output-line-status: up
Action: allow


i do have an acl on inside int. just one.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40458155
is this traffic terminating across a vpn?
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40458175
well, there is a L2L tunnel going form the site to us. yes. would this be actually going through the tunnel though as we're not playing with the tunnel acl's?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40458187
so, your router is behind the vpn tunnel or in front of it?
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40458209
behind
0
 
LVL 1

Accepted Solution

by:
Shark Attack earned 0 total points
ID: 40458278
Thanks for all your help. I have used the netflow-top-talkers and was able to find the what I needed. There is so much crap on this Firewall it's hard to identify what goes with what. Unless you have some other good ideas on what might be wrong, it's ok to let this one go. You've been extremely helpful
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40458423
this traffic runs across the vpn.  set your flow export IP to the inside IP.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40458450
thats what it is. The export ip is one of the ips permitted by the acl of the tunnel
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40458474
but the export IP needs to be the private IP not the public IP and you need to remove the NAT port forwarding.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40458491
the export ip is the private ip. It's the inside ip of one of the lan subnets.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40459536
if you are using private IPs at both ends, let's get rid of the obfuscation and show the detail in the packet tracer using the correct IP and mask.
0
 
LVL 1

Author Closing Comment

by:Shark Attack
ID: 40485299
Thanks for all your help. I have used the netflow-top-talkers and was able to find the what I needed. There is so much crap on this Firewall it's hard to identify what goes with what. Unless you have some other good ideas on what might be wrong, it's ok to let this one go. You've been extremely helpful
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now