I think the problem is probably the source IP address of the Netflow packets. Normally an ip packet from the router uses the outgoing interface as its source address, and I bet that's not in the crypto ACL.

There is a command `ip flow-export source' that allows you to specify a loopback or other interface as the source, therefore you can specify the source ip address. Make sure this is in the crypto ACL.

Andy

Here are my configs. I use a Cisco 1711 as my Central Office device in my lab and a Cisco 831 as the remote office device. I do have the ip flow-export destination 192.168.0.100 9996 in my remote config. I think the problem might be in the ACL but not sure.

I think that you may need to add these statement to your global config on the 831 remote router:

ip local policy route-map map01

route-map map01

match ip address flow-acl

set ip next-hop 192.168.1.102

exit

ip access-list extended flow-acl

permit ip host 192.168.2.1 192.168.0.0 0.0.0.255

exit

I know that you are running ios 12.3 code, but here is a link to a ios 12.2 mainline release config ref that mentions what that command does:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca75a.html#wp1017874

Try these changes and let me know how it works. I suspect that the NAT'ing may not be occuring for the traffic sourced by the router. If the changes that I want you to try do not work out, then run the following commands on the 831:

debug crypto isa

debug crypto ipsec

debug nat (there may be some detailed options for this, if so then enable them to get more output)

Do this when non-production traffic is running thru the router. Then run the telnet to the netflow server from the router console session, using e0 as the source interface - this will simulate a netflow connection to allow the ipsec and nat info to be traced. Post the results here.

Well... I implemented the statements that you suggested and still the Elimra router sends the Netflow traffic out it's outside interface rather than over the VPN tunnel. There must be some specfic command that tells the router to forward anything from itself over the VPN tunnel rather than it's outside non-encrypted tunnel interface.

I noted that you are sending debug messages from the remote router to the same host that you want to export netflow data to - host 192.168.0.100. Are the syslog messages getting sent to that host, over the ipsec vpn tunnel?

Turn on nat debugging, via the debug nat command, and then run a telnet command from the remote router, using e0 as the source interface (same as syslog and netflow source interface address) to the 192.168.0.100 host on port 9996.

Let me know what the nat debug output is. If all goes well, the nat should not happen, due to your nat route-map config (bypass nat for traffic to 192.168.0/24 network).

Well.... I ran the debug ip nat command on the remote VPN Cisco 831 device and also ran a sniffer trace at the central site where the Netflow collector exists. SYSlog messages from the remote 831 device are getting to the central site like they did before. Netflow information on the other hand is not being seen to the central site. The remote Cisco 831 device is sending the Netflow out through its outside NATed interface rather than over the VPN tunnel. It seems that if SYSlog messages are going over the VPN tunnel from the remote Cisco 831 device to the same server where the NetFlow Collector is installed that Netflow data should also do the same.. I'm at a loss at this point.