03-25-2008 10:54 AM - edited 03-11-2019 05:21 AM
i have a multilink connected to our isp that i want to monitor but it sits outside of our pix. how can i make this work? i searched this site but didnt find anything that applies to me. i attached a visio of our network.
im sure ill need a static nat and an acl.
thanks in advance - Jerry.
Solved! Go to Solution.
03-25-2008 11:20 AM
1- Are you routing or NAT throught the firewall?
2- If you're routing through the firewall, does
the router have a static route so that it knows
how to get back to the netflow server?
3- If you're natting, are you natting everything
behind the firewall to 3.3.3.2? In other words:
nat (inside) 1 172.16.1.0 255.255.255.0
global (outside) 1 interface
4- If item #3 is true, what udp port is the
netflow running on the netflow server? I
know that freeware ipflow default is 20000,
what do you use?
5- do this:
static (inside,outside) tcp interface 20000 172.16.1.15 20000 netmask 255.255.255.255 (check the syntax).
access-list External permit icmp any any log
access-list External permit ip any any log (test)
access-group External in interface outside
now configure netflow on the router to point
to 3.3.3.2 and you will be good to go.
CCIE Security
03-25-2008 11:20 AM
1- Are you routing or NAT throught the firewall?
2- If you're routing through the firewall, does
the router have a static route so that it knows
how to get back to the netflow server?
3- If you're natting, are you natting everything
behind the firewall to 3.3.3.2? In other words:
nat (inside) 1 172.16.1.0 255.255.255.0
global (outside) 1 interface
4- If item #3 is true, what udp port is the
netflow running on the netflow server? I
know that freeware ipflow default is 20000,
what do you use?
5- do this:
static (inside,outside) tcp interface 20000 172.16.1.15 20000 netmask 255.255.255.255 (check the syntax).
access-list External permit icmp any any log
access-list External permit ip any any log (test)
access-group External in interface outside
now configure netflow on the router to point
to 3.3.3.2 and you will be good to go.
CCIE Security
03-25-2008 12:03 PM
1- nat - i have static routes to the inside - i can ping the netflow box from the pix.
2- no the isp router cannot ping netflow server via private ip - it can ping outside int of pix though.
3- yes - nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
4- were using 9996 udp
5- ill try and reply back.
thanks - jerry.
03-25-2008 12:06 PM
in step five the "interface" keyword in the static nat is refering to outside int on the pix (3.3.3.2)?
thanks.
03-25-2008 05:53 PM
that works - i pointed netflow on the internet router to one of our available public ip's, the i natted the public ip to the internal ip, then i allowed access to the netflow server via an acl incoming from the outside interface.
thanks!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide