10-09-2013 06:29 AM - edited 03-11-2019 07:49 PM
Hi guys
I have configured the router to forward traffic to my server hosting netflow
My Netflow server IP is 192.9.200.7 and its listening on port 9996
My router IP is192.9.200.254
and netflow has been enabled with following commands
IP-flow export source gigabitethernet 0/1
IP-flow export version 5
IP-flow export destination 192.9.200.7 9996
The network is switch --->cisco ASA---->Router,
My problem is my netflow traffic from the router is not reaching the netflow server hence i cannot get info and am told its the firewall blocking.
Kindly assist and tell me whether my firewall configs are the Problem
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Management0/0
shutdown
no nameif
no security-level
management-only
!
banner motd #
banner motd # This is Kenya Re network. No unauthorized access is allowed - such access will be prosecuted. Access requests to be forwaded to the ICT Team. #
ftp mode passive
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any echo
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any unreachable
access-list SMTP_OUT remark permit outgoing mail from MXserver
access-list ACL_OUT_IN extended permit icmp any any
access-list ACL_OUT_IN extended permit ip 192.9.200.0 255.255.255.0 any
access-list ACL_OUT_IN extended permit tcp any host 192.9.200.5 eq https
access-list ACL_OUT_IN extended permit tcp 196.200.16.0 255.255.255.0 host 192.9.200.5 eq smtp
access-list ACL_OUT_IN extended permit tcp host 217.21.112.60 host 192.9.200.5 eq smtp
access-list ACL_OUT_IN extended permit tcp host 80.240.192.30 host 192.9.200.5 eq smtp
access-list ACL_OUT_IN extended permit tcp any host 192.9.200.5 eq 993
access-list ACL_OUT_IN extended permit tcp any host 192.9.200.5 eq 995
access-list ACL_OUT_IN extended permit tcp host 41.206.48.74 host 192.9.200.5 eq smtp
access-list ACL_OUT_IN extended permit ip 192.168.205.0 255.255.255.0 any
access-list ACL_OUT_IN extended deny ip any any
access-list ACL_OUT_IN extended permit udp any host 192.9.200.7 eq snmp
access-list ACL_OUT_IN extended permit udp any host 192.9.200.7 eq snmptrap
access-list ACL_OUT_IN extended permit udp any host 192.9.200.7 eq 9996
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap errors
logging history errors
logging recipient-address Firewall@kenyare.co.ke level errors
logging queue 500
logging host inside 192.9.200.7 6/1026
mtu outside 1500
mtu inside 1500
ip address 192.9.200.20 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
access-group ACL_OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 192.9.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username support password Yf12uhqRlWbAtYR. encrypted
username netadmin password Jx0xbhkzRrIpxYnu encrypted
aaa authentication ssh console LOCAL
snmp-server host inside 192.9.200.7 community private
no snmp-server location
no snmp-server contact
snmp-server community KRE
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.9.200.0 255.255.255.0 outside
telnet 172.30.0.0 255.255.255.0 outside
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 5
ssh 192.9.200.0 255.255.255.0 outside
ssh 41.206.48.74 255.255.255.255 outside
ssh 192.9.200.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
10-10-2013 04:25 AM
Hi
no access-list ACL_OUT_IN extended deny ip any any
Please try.
10-14-2013 09:45 PM
Hi
Thanks for the response i tried that but still no netflow traffic is coming in.
Another thing SNMP is not working also what could the problem be ?
Kindly assist.
10-15-2013 09:43 PM
Any one with any idea ? Am stuck
10-16-2013 03:37 AM
Hi,
Did you add the "ip route-cache flow" under interface g0/1 on your router?
Could you also post the output of "show ip flow export."
Sent from Cisco Technical Support iPhone App
10-16-2013 03:55 AM
Hi,
Can you do this on the ASA and post result:
packet-tracer input outside udp 192.9.200.254 1100 192.9.200.7 9996 detailed
Regards
Alain
10-18-2013 04:16 AM
Hi Cadet,
Why you have considered port number 1100 on source port. ,i think for netflow.
10-18-2013 04:30 AM
I just took a random port > 1024 like any client would do.
Regards
Alain
Don't forget to rate helpful posts.
10-18-2013 04:49 AM
sir,
what valuable finding can we get from mentioned commands.
10-18-2013 06:49 AM
Hi,
you will know if the ASA is permitting Netflow traffic through from outside to inside and if not it will tell you why.
Regards
Alain
Don't forget to rate helpful posts.
10-18-2013 07:07 AM
Hi Rohit,
By the output of packet tracer we could confirm if the firewlal rules are allowing or blocking the traffic in different phases of packet processing.
Further applying captures on firewall ingress interface and egress interface can also be used to verify if the netflow traffic is even reacing the firewall and is getting transmitted across or not.
Please use following link for applying captures on ASA:
https://supportforums.cisco.com/docs/DOC-17814
Cheers,
Naveen
10-21-2013 02:40 AM
Peter, are those the only NetFlow commands you have applied on the router? Have you applied "ip route-cache flow" on each interface of the router? Check from the router the output of "sh ip cache flow" and "sh ip flow export" and see if there are actually NetFlow packets in the router cache and other cache stats.
Second, since the firrwall configuration seems fine (except for ip any deny, which you said has been removed), have you tried installing WireShark on the NetFlow server and see if it is actually receiving NetFlow packets? If it is, disable the software firewall on your server and give it a shot.
Regards,
Don Thomas Jacob
Head Geek @ SolarWinds - Network Management and Monitoring tools
NOTE: Please rate and close questions if you found any of the answers helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide