Help configuring netflow

I have a router that is located at an external site. I would like to permit the traffic from that routers interface to and through my firewall to the machine I have the netflow collector installed on. I’m using port 2055 I am getting SNMP packets when I check with Wireshark but don’t see the cflow packets at all. I know I’m probably missing ACL’s access rules and NAT. Can anyone explain and or provide config examples that will help me get the traffic though? I also want to say that there is a L2L tunnel form that site to me. Maybe we could get traffic through the tunnel? I don’t want to create unnecessary traffic and really mess with active tunnels if I don’t have to.  The asa is a 5520 Version 8.2

ROUTER ------- FIREWALL -------- PC
192.168.X.X          XXFIREWALLIP        10.153.X.X
LVL 3
Shark AttackNetwork adminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
does your outside access list permit incoming udp port 2055 traffic?

what is your netflow configuration on the router?
0
Shark AttackNetwork adminAuthor Commented:
ip flow-export source fastethernet0/0
ip flow-export source version 5
ip flow-export destination (ip of the outside int of firewall

Interface f0/0
ip flow egress
ip flow ingress
ip route-cache flow


There is so many ACL's on that firewall that when each time i go though it I feel like quitting my job on the spot. So at this point i dont know whats on it. Im  new here and trying to figure all this out.
0
Jan SpringerCommented:
if your destination is the outside IP of the firewall, do you have a NAT statement port forwarding 2055 from the outside IP to the correct inside IP?

sh run nat | i 2055

(leave the space on either side of the pipe)
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Shark AttackNetwork adminAuthor Commented:
it gives me nothing out of that command.
0
Shark AttackNetwork adminAuthor Commented:
should I have the destination as the PC im running the collector as ?
0
Jan SpringerCommented:
yes.  you want to port forward udp 2055 from the outside IP to the inside collector IP.
0
Shark AttackNetwork adminAuthor Commented:
done. changed. did not help though. i am getting flows from the internal netflow but not external (from that router)
0
Jan SpringerCommented:
have you updated your outside access list to allow udp 2055 from the router source IP to the destination IP?  

the destination IP in 8.2 or earlier will be the public IP.

the destination IP in 8.3 or later will be the private IP.

       packet-tracer input outside udp ROUTER_IP 12345 DESTINATION_IP 2055 detail

what is the output?
0
Shark AttackNetwork adminAuthor Commented:
I get an ACL drop from  packet-tracer in outsideds3 udp 1router ip 0 public ip of firewall 2055 detail
0
Shark AttackNetwork adminAuthor Commented:
** packet-tracer in outsideds3 udp "router ip" 0 "public ip" of firewall 2055 detail
0
Shark AttackNetwork adminAuthor Commented:
how can I check what the ACL's are for the outside interface?
0
Jan SpringerCommented:
sh run | i group

this will list access-groups applied.  you are looking for one applied to the outside interface -- it will be referenced using the nameif configured.
0
Shark AttackNetwork adminAuthor Commented:
ok, nothing referencing the port 2055
0
Jan SpringerCommented:
can you post your outside access list?  you can change the first two octets of the public IPs to X.X (unless you are using object groups then you should be okay).
0
Shark AttackNetwork adminAuthor Commented:
show run | i group
access-group 190 in interface outside

access-list 190 line 1 extended permit udp any any (hitcnt=0) 0x27e08eec
access-list 190 line 2 extended permit ip any any (hitcnt=0) 0xc824ef44
access-list 190 line 3 extended permit icmp any any (hitcnt=0) 0x710e0adf
access-list 190 line 4 extended permit udp any host x.x.21.171 eq 1812 (hitcnt=0) 0xd9d81768
access-list 190 line 5 extended permit udp any host x.x.21.171 eq 1813 (hitcnt=0) 0x423339ff
access-list 190 line 6 extended permit tcp any host x.x.21.171 eq 1813 (hitcnt=0) 0xc0db528a
access-list 190 line 7 extended permit udp any host x.x.21.170 eq syslog (hitcnt=0) 0xcb33f679
access-list 190 line 8 extended permit udp any host x.x.21.170 eq snmp (hitcnt=0) 0x3a70fc2c
access-list 190 line 9 extended permit udp any host x.x.21.170 eq snmptrap (hitcnt=0) 0x0b087efd
0
Shark AttackNetwork adminAuthor Commented:
when I use wireshark, i can see I snmp flows from the router but not netflows (cflows) on port 2055
0
Jan SpringerCommented:
access-list 190 extended permit udp host ROUTER_IP any eq 2055
0
Shark AttackNetwork adminAuthor Commented:
still no cflow packets coming though just snmp. Maybe there is an issue on the router. When I go to the collector and look at the interface for netflows, it says no netflow configured on the interface but that might be becouse cflows are not coming through
0
Jan SpringerCommented:
on the router:

sh ip flow export
0
Shark AttackNetwork adminAuthor Commented:
Router#show ip flo ex
Flow export v5 is enabled for main cache
  Exporting flows to x.x.0.223 (2055) <---- my box running collector
  Exporting using source interface FastEthernet0/0
  Version 5 flow records
  1966264 flows exported in 82127 udp datagrams
  0 flows failed due to lack of export packet
  2 export packets were sent up to process level
  0 export packets were dropped due to no fib
  0 export packets were dropped due to adjacency issues
  0 export packets were dropped due to fragmentation failures
  0 export packets were dropped due to encapsulation fixup failures
0
Jan SpringerCommented:
please re-run packet-tracer as indicated above.  with the NAT and access list updates, we should see something different.
0
Shark AttackNetwork adminAuthor Commented:
says acl drop.
packet-tracer input outsideds3 udp x.x.202.2 0 x.x.x.x 2055
x.x.202.2 = router
x,x,x.x = public ip of firewall

my outside int. is outsideds3

show run | i group
access-group netflow in interface outsideds3

show access-list netflow
access-list netflow line 1 extended permit udp host x.x.202.2 any eq 2055 (hitcnt=1) 0x51b235a2
0
Jan SpringerCommented:
Up above you listed access list 190 and the outside interface as "outside".

Would you clarify both?
0
Shark AttackNetwork adminAuthor Commented:
yes, sorry, outside interface is shutdown. not in use. Sorry about that. I'm working on few things and missed that.  acl 190 pertains to nameif outside which is not active. my outside interface is outsideds3 i created new acl "netflow" and applied to outsideds3 just like at my last posting.
0
Jan SpringerCommented:
and you have no current access list tied to outsideds3?  (and, i'll have to step away for a half hour but will pick this up on my return).
0
Shark AttackNetwork adminAuthor Commented:
No problem. I didn't have any based on the show run group. I created one called netflow
0
Jan SpringerCommented:
If you would do a packet-tracer (as above with detail), X.X the first two octets of any public IP and post the detail, that may help.

Also, do you have an access-list on the inside interface?
0
Shark AttackNetwork adminAuthor Commented:
packet-tracer in outsideds3 udp x.x.202.2 0 8.8.8.8 2055

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outsideds3

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group netflow in interface outsideds3
access-list netflow extended permit udp host x.x.202.2 any eq 2055
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: UDP-UNIDIRECTIONAL
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outsideds3) 4 access-list REMOTE-VPN-TUNNEL-PAT
nat-control
  match ip outsideds3 x.x.202.0 255.255.255.192 outside x.x.0.0 255.255.255.0
    dynamic translation to pool 4 (x.x.0.5)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 302250109, packet dispatched to next module

Result:
input-interface: outsideds3
input-status: up
input-line-status: up
output-interface: outsideds3
output-status: up
output-line-status: up
Action: allow


i do have an acl on inside int. just one.
0
Jan SpringerCommented:
is this traffic terminating across a vpn?
0
Shark AttackNetwork adminAuthor Commented:
well, there is a L2L tunnel going form the site to us. yes. would this be actually going through the tunnel though as we're not playing with the tunnel acl's?
0
Jan SpringerCommented:
so, your router is behind the vpn tunnel or in front of it?
0
Shark AttackNetwork adminAuthor Commented:
behind
0
Shark AttackNetwork adminAuthor Commented:
Thanks for all your help. I have used the netflow-top-talkers and was able to find the what I needed. There is so much crap on this Firewall it's hard to identify what goes with what. Unless you have some other good ideas on what might be wrong, it's ok to let this one go. You've been extremely helpful
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jan SpringerCommented:
this traffic runs across the vpn.  set your flow export IP to the inside IP.
0
Shark AttackNetwork adminAuthor Commented:
thats what it is. The export ip is one of the ips permitted by the acl of the tunnel
0
Jan SpringerCommented:
but the export IP needs to be the private IP not the public IP and you need to remove the NAT port forwarding.
0
Shark AttackNetwork adminAuthor Commented:
the export ip is the private ip. It's the inside ip of one of the lan subnets.
0
Jan SpringerCommented:
if you are using private IPs at both ends, let's get rid of the obfuscation and show the detail in the packet tracer using the correct IP and mask.
0
Shark AttackNetwork adminAuthor Commented:
Thanks for all your help. I have used the netflow-top-talkers and was able to find the what I needed. There is so much crap on this Firewall it's hard to identify what goes with what. Unless you have some other good ideas on what might be wrong, it's ok to let this one go. You've been extremely helpful
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.