topic Netflow Traffic in Network Security

Netflow Traffic

peterramla — Tue, 12 Mar 2019 02:49:12 GMT

Hi guys

I have configured the router to forward traffic to my server hosting netflow

My Netflow server IP is 192.9.200.7 and its listening on port 9996

My router IP is192.9.200.254

and netflow has been enabled with following commands

IP-flow export source gigabitethernet 0/1

IP-flow export version 5

IP-flow export destination 192.9.200.7 9996

The network is switch --->cisco ASA---->Router,

My problem is my netflow traffic from the router is not reaching the netflow server hence i cannot get info and am told its the firewall blocking.

Kindly assist and tell me whether my firewall configs are the Problem

interface Ethernet0/0

nameif outside

security-level 0

interface Ethernet0/1

nameif inside

security-level 100

interface Ethernet0/2

shutdown

no nameif

no security-level

interface Management0/0

shutdown

no nameif

no security-level

management-only

banner motd #

banner motd # This is Kenya Re network. No unauthorized access is allowed - such access will be prosecuted. Access requests to be forwaded to the ICT Team. #

ftp mode passive

access-list 100 extended permit icmp any any

access-list 100 extended permit icmp any any echo

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any unreachable

access-list SMTP_OUT remark permit outgoing mail from MXserver

access-list ACL_OUT_IN extended permit icmp any any

access-list ACL_OUT_IN extended permit ip 192.9.200.0 255.255.255.0 any

access-list ACL_OUT_IN extended permit tcp any host 192.9.200.5 eq https

access-list ACL_OUT_IN extended permit tcp 196.200.16.0 255.255.255.0 host 192.9.200.5 eq smtp

access-list ACL_OUT_IN extended permit tcp host 217.21.112.60 host 192.9.200.5 eq smtp

access-list ACL_OUT_IN extended permit tcp host 80.240.192.30 host 192.9.200.5 eq smtp

access-list ACL_OUT_IN extended permit tcp any host 192.9.200.5 eq 993

access-list ACL_OUT_IN extended permit tcp any host 192.9.200.5 eq 995

access-list ACL_OUT_IN extended permit tcp host 41.206.48.74 host 192.9.200.5 eq smtp

access-list ACL_OUT_IN extended permit ip 192.168.205.0 255.255.255.0 any

access-list ACL_OUT_IN extended deny ip any any

access-list ACL_OUT_IN extended permit udp any host 192.9.200.7 eq snmp

access-list ACL_OUT_IN extended permit udp any host 192.9.200.7 eq snmptrap

access-list ACL_OUT_IN extended permit udp any host 192.9.200.7 eq 9996

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging trap errors

logging history errors

logging recipient-address Firewall@kenyare.co.ke level errors

logging queue 500

logging host inside 192.9.200.7 6/1026

mtu outside 1500

mtu inside 1500

ip address 192.9.200.20 255.255.255.0

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

access-group ACL_OUT_IN in interface outside

route outside 0.0.0.0 0.0.0.0 192.9.200.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username support password Yf12uhqRlWbAtYR. encrypted

username netadmin password Jx0xbhkzRrIpxYnu encrypted

aaa authentication ssh console LOCAL

snmp-server host inside 192.9.200.7 community private

no snmp-server location

no snmp-server contact

snmp-server community KRE

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.9.200.0 255.255.255.0 outside

telnet 172.30.0.0 255.255.255.0 outside

telnet 192.9.200.0 255.255.255.0 inside

telnet timeout 5

ssh 192.9.200.0 255.255.255.0 outside

ssh 41.206.48.74 255.255.255.255 outside

ssh 192.9.200.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

Netflow Traffic

phuoctrung — Thu, 10 Oct 2013 11:25:30 GMT

no access-list ACL_OUT_IN extended deny ip any any

Please try.

Netflow Traffic

peterramla — Tue, 15 Oct 2013 04:45:00 GMT

Thanks for the response i tried that but still no netflow traffic is coming in.

Another thing SNMP is not working also what could the problem be ?

Kindly assist.

Netflow Traffic

peterramla — Wed, 16 Oct 2013 04:43:53 GMT

Any one with any idea ? Am stuck

Re: Netflow Traffic

johnlloyd_13 — Wed, 16 Oct 2013 10:37:22 GMT

Hi,

Did you add the "ip route-cache flow" under interface g0/1 on your router?

Could you also post the output of "show ip flow export."

Sent from Cisco Technical Support iPhone App

Netflow Traffic

cadet alain — Wed, 16 Oct 2013 10:55:08 GMT

Hi,

Can you do this on the ASA and post result:

packet-tracer input outside udp 192.9.200.254 1100 192.9.200.7 9996 detailed

Regards

Alain

Netflow Traffic

Rohit saurav — Fri, 18 Oct 2013 11:16:22 GMT

Hi Cadet,

Why you have considered port number 1100 on source port. ,i think for netflow.

Netflow Traffic

cadet alain — Fri, 18 Oct 2013 11:30:53 GMT

I just took a random port > 1024 like any client would do.

Regards

Alain

Don't forget to rate helpful posts.

Netflow Traffic

Rohit saurav — Fri, 18 Oct 2013 11:49:09 GMT

sir,

what valuable finding can we get from mentioned commands.

Netflow Traffic

cadet alain — Fri, 18 Oct 2013 13:49:23 GMT

Hi,

you will know if the ASA is permitting Netflow traffic through from outside to inside and if not it will tell you why.

Regards

Alain

Don't forget to rate helpful posts.

Netflow Traffic

narawat — Fri, 18 Oct 2013 14:07:21 GMT

Hi Rohit,

By the output of packet tracer we could confirm if the firewlal rules are allowing or blocking the traffic in different phases of packet processing.

Further applying captures on firewall ingress interface and egress interface can also be used to verify if the netflow traffic is even reacing the firewall and is getting transmitted across or not.

Please use following link for applying captures on ASA:

https://supportforums.cisco.com/docs/DOC-17814

Cheers,

Naveen

Netflow Traffic

Don Jacob — Mon, 21 Oct 2013 09:40:45 GMT

Peter, are those the only NetFlow commands you have applied on the router? Have you applied "ip route-cache flow" on each interface of the router? Check from the router the output of "sh ip cache flow" and "sh ip flow export" and see if there are actually NetFlow packets in the router cache and other cache stats.

Second, since the firrwall configuration seems fine (except for ip any deny, which you said has been removed), have you tried installing WireShark on the NetFlow server and see if it is actually receiving NetFlow packets? If it is, disable the software firewall on your server and give it a shot.

Regards,
Don Thomas Jacob
Head Geek @ SolarWinds - Network Management and Monitoring tools

NOTE: Please rate and close questions if you found any of the answers helpful.