[c-nsp] Netflow & NAT problem

news.gmane.org lex at init.net.ua
Thu Feb 23 16:37:13 EST 2006 

Hello,

Have some problem with Cisco 3640 with Netflow working when NAT used.

cisco-3640#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-IO3-M), Version 12.2(32), RELEASE SOFTWARE 
(fc1)
Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Fri 02-Dec-05 15:19 by
Image text-base: 0x60008930, data-base: 0x60A88000

ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE 
SOFTWARE (fc1)

cisco-3640 uptime is 4 hours, 3 minutes
System returned to ROM by reload
System image file is "flash:c3640-io3-mz.122-32.bin"

cisco 3640 (R4700) processor (revision 0x00) with 61440K/4096K bytes of 
memory.
Processor board ID 21961002
R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

When i use debug ip policy i see, that my route map is work and all NAT 
traffic go to Loopback0, where i must it see in NetFlow (as comming to 
interface)

04:04:36: IP: s=66.225.214.106 (Ethernet0/0), d=192.168.23.15, len 40, 
policy match
04:04:36: IP: route map netflow_nat, item 10, permit
04:04:36: IP: s=66.225.214.106 (Ethernet0/0), d=192.168.23.15 
(Loopback0), len 40, policy routed
04:04:36: IP: Ethernet0/0 to Loopback0 192.168.23.15

But as you can see, i have Null instead of Loopback0 in DstInt:

а cisco-3640#sh ip cache flow | include 66.225.214.106
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 100C 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 100F 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 1008 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 1007 
     3
Et0/1         192.168.23.15   Et0/0         66.225.214.106  06 0F57 22B8 
    22
Et0/0         66.225.214.106  Null          192.168.23.15   06 22B8 0F57 
    25
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0EAA 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0EA6 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0EE3 
     6
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0EC3 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0E71 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FA9 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FBB 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F8C 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F8F 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F98 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F94 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FEF 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FE7 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FE3 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FF2 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FF3 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FCF 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FC5 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0FD4 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F1C 
     9
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F19 
     6
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F1A 
     4
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F6A 
     3
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F64 
     4
Et0/0         66.225.214.106  Null          192.168.23.15   06 0050 0F7F 
     3

Also show my config, maybe somebody know what i can do with that.

Current configuration : 12674 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco-3640
!
boot system flash c3640-io3-mz.122-32.bin
no logging console guaranteed
aaa new-model
!
ip subnet-zero
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip flow-cache entries 4094
ip flow-cache timeout inactive 240
ip flow-cache timeout active 45
ip cef
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface Loopback0
ip address 193.xxx.xxx.225 255.255.255.255
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no keepalive
!
interface Tunnel0
ip address 192.168.200.1 255.255.255.0
ip access-group 199 in
ip mtu 1470
ip nat inside
ip route-cache flow
no ip mroute-cache
tunnel source 172.16.1.1
tunnel destination 172.16.0.1
tunnel mode ipip
!
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0 secondary
ip address 195.xxx.xxx.66 255.255.255.192
ip access-group 199 in
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
no ip mroute-cache
ip policy route-map netflow_nat
no keepalive
half-duplex
no cdp enable
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 192.168.4.250 255.255.255.0 secondary
ip address 193.xxx.xxx.253 255.255.255.252 secondary
ip address 193.xxx.xxx.65 255.255.255.192
ip access-group 199 in
no ip unreachables
no ip proxy-arp
ip nat inside
rate-limit input access-group 115 96000 18000 36000 conform-action 
transmit exceed-action drop
rate-limit input access-group 117 256000 48000 96000 conform-action 
transmit exceed-action drop
rate-limit input access-group 119 64000 12000 24000 conform-action 
transmit exceed-action drop
rate-limit input access-group 121 96000 18000 36000 conform-action 
transmit exceed-action drop
rate-limit input access-group 123 96000 18000 36000 conform-action 
transmit exceed-action drop
rate-limit input access-group 125 96000 18000 36000 conform-action 
transmit exceed-action drop
rate-limit input access-group 127 96000 18000 36000 conform-action 
transmit exceed-action drop
rate-limit input access-group 129 64000 12000 24000 conform-action 
transmit exceed-action drop
rate-limit input access-group 131 64000 12000 24000 conform-action 
transmit exceed-action drop
rate-limit input access-group 135 64000 12000 24000 conform-action 
transmit exceed-action drop
rate-limit input access-group 137 128000 24000 48000 conform-action 
transmit exceed-action drop
rate-limit input access-group 139 64000 12000 24000 conform-action 
transmit exceed-action drop
ip route-cache flow
no ip mroute-cache
no keepalive
half-duplex
traffic-shape group 116 96000 12000 12000 128
traffic-shape group 118 256000 32000 32000 128
traffic-shape group 120 64000 8000 8000 128
traffic-shape group 122 96000 12000 12000 128
traffic-shape group 124 96000 12000 12000 128
traffic-shape group 126 96000 12000 12000 128
traffic-shape group 128 96000 12000 12000 128
traffic-shape group 130 64000 8000 8000 128
traffic-shape group 132 64000 8000 8000 128
traffic-shape group 136 64000 8000 8000 128
traffic-shape group 138 128000 16000 16000 128
traffic-shape group 140 64000 8000 8000 128
no cdp enable
!
interface Serial0/1
no ip address
shutdown
!
interface FastEthernet2/0
ip address 193.xxx.xxx.9 255.255.255.192
ip access-group 199 in
no ip unreachables
no ip proxy-arp
ip nat inside
rate-limit input access-group 111 512000 96000 192000 conform-action 
transmit exceed-action drop
rate-limit input access-group 113 96000 18000 36000 conform-action 
transmit exceed-action drop
rate-limit input access-group 133 32000 6000 12000 conform-action 
transmit exceed-action drop
ip route-cache flow
no ip mroute-cache
no keepalive
speed 100
full-duplex
traffic-shape group 112 512000 32000 32000 512
traffic-shape group 114 96000 12000 12000 128
traffic-shape group 134 32000 4000 4000 128
no cdp enable
!
ip nat inside source list 5 interface Ethernet0/0 overload
ip nat inside source list 102 interface Ethernet0/0 overload
ip flow-export source FastEthernet2/0
ip flow-export version 5
ip flow-export destination 193.xxx.xxx.1 2100
ip classless
no ip http server
!
access-list 5 permit 192.168.1.249
access-list 5 permit 192.168.1.253
access-list 5 permit 192.168.4.0 0.0.0.255
access-list 5 permit 192.168.12.0 0.0.0.255
access-list 5 permit 192.168.14.0 0.0.0.255
access-list 5 permit 192.168.23.0 0.0.0.255
access-list 5 permit 192.168.6.0 0.0.0.255
access-list 5 permit 192.168.29.0 0.0.0.255
access-list 5 permit 192.168.20.0 0.0.0.255
access-list 5 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.30.0 0.0.0.255
access-list 102 permit ip any host 212.109.57.226
access-list 102 permit ip any host 213.186.198.70
access-list 102 permit ip any host 62.244.21.62
access-list 102 permit ip any host 212.82.220.134
access-list 103 permit ip any 192.168.0.0 0.0.255.255
access-list 199 remark Zhashishaemsa ot nekotorih virusov
access-list 199 deny   tcp any any eq 135
access-list 199 deny   udp any any eq 135
access-list 199 permit ip any any
!
route-map netflow_nat permit 10
match ip address 103
set interface Loopback0 Ethernet0/0
!
line con 0
line aux 0
line vty 0 4
!
end

More information about the cisco-nsp mailing list