I have configured the router to forward traffic to my server hosting netflow
My Netflow server IP is 184.108.40.206 and its listening on port 9996
My router IP is220.127.116.11
and netflow has been enabled with following commands
IP-flow export source gigabitethernet 0/1
IP-flow export version 5
IP-flow export destination 18.104.22.168 9996
The network is switch --->cisco ASA---->Router,
My problem is my netflow traffic from the router is not reaching the netflow server hence i cannot get info and am told its the firewall blocking.
Kindly assist and tell me whether my firewall configs are the Problem
banner motd #
banner motd # This is Kenya Re network. No unauthorized access is allowed - such access will be prosecuted. Access requests to be forwaded to the ICT Team. #
ftp mode passive
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any echo
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any unreachable
access-list SMTP_OUT remark permit outgoing mail from MXserver
access-list ACL_OUT_IN extended permit icmp any any
access-list ACL_OUT_IN extended permit ip 22.214.171.124 255.255.255.0 any
access-list ACL_OUT_IN extended permit tcp any host 126.96.36.199 eq https
access-list ACL_OUT_IN extended permit tcp 188.8.131.52 255.255.255.0 host 184.108.40.206 eq smtp
access-list ACL_OUT_IN extended permit tcp host 220.127.116.11 host 18.104.22.168 eq smtp
access-list ACL_OUT_IN extended permit tcp host 22.214.171.124 host 126.96.36.199 eq smtp
access-list ACL_OUT_IN extended permit tcp any host 188.8.131.52 eq 993
access-list ACL_OUT_IN extended permit tcp any host 184.108.40.206 eq 995
access-list ACL_OUT_IN extended permit tcp host 220.127.116.11 host 18.104.22.168 eq smtp
access-list ACL_OUT_IN extended permit ip 192.168.205.0 255.255.255.0 any
access-list ACL_OUT_IN extended deny ip any any
access-list ACL_OUT_IN extended permit udp any host 22.214.171.124 eq snmp
access-list ACL_OUT_IN extended permit udp any host 126.96.36.199 eq snmptrap
access-list ACL_OUT_IN extended permit udp any host 188.8.131.52 eq 9996
pager lines 24
logging buffered debugging
logging trap errors
logging history errors
logging recipient-address Firewall@kenyare.co.ke level errors
logging queue 500
logging host inside 184.108.40.206 6/1026
mtu outside 1500
mtu inside 1500
ip address 220.127.116.11 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
access-group ACL_OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username support password Yf12uhqRlWbAtYR. encrypted
username netadmin password Jx0xbhkzRrIpxYnu encrypted
aaa authentication ssh console LOCAL
snmp-server host inside 22.214.171.124 community private
no snmp-server location
no snmp-server contact
snmp-server community KRE
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 126.96.36.199 255.255.255.0 outside
telnet 172.30.0.0 255.255.255.0 outside
telnet 188.8.131.52 255.255.255.0 inside
telnet timeout 5
ssh 184.108.40.206 255.255.255.0 outside
ssh 220.127.116.11 255.255.255.255 outside
ssh 18.104.22.168 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
inspect dns maximum-length 512
inspect h323 h225
inspect h323 ras
Thanks for the response i tried that but still no netflow traffic is coming in.
Another thing SNMP is not working also what could the problem be ?
Did you add the "ip route-cache flow" under interface g0/1 on your router?
Could you also post the output of "show ip flow export."
Sent from Cisco Technical Support iPhone App
Can you do this on the ASA and post result:
packet-tracer input outside udp 22.214.171.124 1100 126.96.36.199 9996 detailed
you will know if the ASA is permitting Netflow traffic through from outside to inside and if not it will tell you why.
Don't forget to rate helpful posts.
By the output of packet tracer we could confirm if the firewlal rules are allowing or blocking the traffic in different phases of packet processing.
Further applying captures on firewall ingress interface and egress interface can also be used to verify if the netflow traffic is even reacing the firewall and is getting transmitted across or not.
Please use following link for applying captures on ASA:
Peter, are those the only NetFlow commands you have applied on the router? Have you applied "ip route-cache flow" on each interface of the router? Check from the router the output of "sh ip cache flow" and "sh ip flow export" and see if there are actually NetFlow packets in the router cache and other cache stats.
Second, since the firrwall configuration seems fine (except for ip any deny, which you said has been removed), have you tried installing WireShark on the NetFlow server and see if it is actually receiving NetFlow packets? If it is, disable the software firewall on your server and give it a shot.
Don Thomas Jacob
Head Geek @ SolarWinds - Network Management and Monitoring tools
NOTE: Please rate and close questions if you found any of the answers helpful.