1

Currently NetFlow is showing destination (of inbound traffic) as our outside IP rather than inside IP. Also, for all outbound traffic, it is showing the source as our firewall rather than workstations. Any ideas about how to find the true source/destination for these?

DeliriumTremens
  • 27
  • 1
  • 6
  • Could you share the model of your router and the application you're using for collecting the netflow data? (mostly for curiosity, I'd like to know what's out there that **works** for people) – l0c0b0x Jun 04 '10 at 20:40
  • Cisco 2800 router using Scrutinizer (from plixer) – DeliriumTremens Jun 04 '10 at 21:25
  • MOst Cisco routers should be able to export NetFlow data. I've used various collectors, both FOSS and commercial. – Vatine Jul 02 '10 at 15:40

3 Answers3

1

I agree with the previous answer. We have 8 routers I monitor netflow on and this is the method I have used.

CaptAwesom
  • 11
  • 1
1

I take it you have a set-up somewhat similar to this:

LAN - FW - Router ---- Internet

With NATing in the firewall? If so, there's no obvious way you can get true destinations directly in NetFlow, because as far as the router ins concerned, the only source of packets is the NAT pool in the firewall. It may be possible to extract the NAT mappings from the firewall on a regular basis, then post-process the NetFlow data, but I suspect it would require some bespoke coding and be error-prone.

In short, no, I think you're out of luck.

Edit:

If we take a few liberties with actual IP addresses: Inside: 192.168.0.0/24 NAT pool: 172.27.10.3 - 172.27.10.5

Let us trace a TCP packet from inside host 192.168.0.17 to outside host 66.102.9.104

Source IP: 192.168.0.17  [ INSIDE ]
Source port: 16732
Dest IP: 66.102.9.104
Dest port: 80
-------------------
NAT location
-------------------
Source IP: 172.27.10.3   [ OUTSIDE ]
Source port: 16732
Dest IP: 66.102.9.104
Dest port: 80

Eventually a return packet arrives:

Source IP: 66.102.9.104  [ OUTSIDE ]
Source port: 80
Dest IP: 172.27.10.3
Dest port: 16732
-------------------
NAT location
-------------------
Source IP: 66.102.9.104  [ INSIDE ]
Source port: 80
Dest IP: 192.168.0.17
Dest port: 16732

As the NAT happens in the firewall, the router only ever sees the "outside" addresses and is unable to correlate the "inside" IP to any given packet.

Vatine
  • 5,390
  • 23
  • 24
  • So the NATing in the firewall is also obscuring the destination of inbound packets from the internet, even though the netflow traffic is being processed before it hits the firewall? I understand the outbound traffic will be screwed up since it hits the firewall first, but the inbound traffic shouldn't be NATted yet. – DeliriumTremens Jun 07 '10 at 15:15
0

It's been a while since I played with this, but I think that I had a similar problem. If memory serves, I had to tell IOS to reference the traffic from my LAN interface instead of my WAN interface. Obviously this is dependent on your topology, but I think the following command soled it for me:

ip flow-export source FastEthernet0/0
jj33
  • 11,038
  • 1
  • 36
  • 50