Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
4
Replies

allow netflow through pix 515e

Go to solution
jerry.mcrae
Level 1
Level 1

‎03-25-2008 10:54 AM - edited ‎03-11-2019 05:21 AM

i have a multilink connected to our isp that i want to monitor but it sits outside of our pix. how can i make this work? i searched this site but didnt find anything that applies to me. i attached a visio of our network.

im sure ill need a static nat and an acl.

thanks in advance - Jerry.

Labels:
22257-EdwardsISP.vsd
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cisco24x7
Level 6
Level 6

‎03-25-2008 11:20 AM

1- Are you routing or NAT throught the firewall?

2- If you're routing through the firewall, does

the router have a static route so that it knows

how to get back to the netflow server?

3- If you're natting, are you natting everything

behind the firewall to 3.3.3.2? In other words:

nat (inside) 1 172.16.1.0 255.255.255.0

global (outside) 1 interface

4- If item #3 is true, what udp port is the

netflow running on the netflow server? I

know that freeware ipflow default is 20000,

what do you use?

5- do this:

static (inside,outside) tcp interface 20000 172.16.1.15 20000 netmask 255.255.255.255 (check the syntax).

access-list External permit icmp any any log

access-list External permit ip any any log (test)

access-group External in interface outside

now configure netflow on the router to point

to 3.3.3.2 and you will be good to go.

CCIE Security

View solution in original post

0 Helpful
4 Replies 4

Go to solution
cisco24x7
Level 6
Level 6

‎03-25-2008 11:20 AM

1- Are you routing or NAT throught the firewall?

2- If you're routing through the firewall, does

the router have a static route so that it knows

how to get back to the netflow server?

3- If you're natting, are you natting everything

behind the firewall to 3.3.3.2? In other words:

nat (inside) 1 172.16.1.0 255.255.255.0

global (outside) 1 interface

4- If item #3 is true, what udp port is the

netflow running on the netflow server? I

know that freeware ipflow default is 20000,

what do you use?

5- do this:

static (inside,outside) tcp interface 20000 172.16.1.15 20000 netmask 255.255.255.255 (check the syntax).

access-list External permit icmp any any log

access-list External permit ip any any log (test)

access-group External in interface outside

now configure netflow on the router to point

to 3.3.3.2 and you will be good to go.

CCIE Security

0 Helpful

Go to solution
jerry.mcrae
Level 1
Level 1
In response to cisco24x7

‎03-25-2008 12:03 PM

1- nat - i have static routes to the inside - i can ping the netflow box from the pix.

2- no the isp router cannot ping netflow server via private ip - it can ping outside int of pix though.

3- yes - nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

4- were using 9996 udp

5- ill try and reply back.

thanks - jerry.

0 Helpful

Go to solution
jerry.mcrae
Level 1
Level 1
In response to cisco24x7

‎03-25-2008 12:06 PM

in step five the "interface" keyword in the static nat is refering to outside int on the pix (3.3.3.2)?

thanks.

0 Helpful

Go to solution
jerry.mcrae
Level 1
Level 1
In response to cisco24x7

‎03-25-2008 05:53 PM

that works - i pointed netflow on the internet router to one of our available public ip's, the i natted the public ip to the internal ip, then i allowed access to the netflow server via an acl incoming from the outside interface.

thanks!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card