[c-nsp] Netflow & NAT problem
Tom Zingale (tomz)
tomz at cisco.com
Thu Feb 23 17:21:18 EST 2006
The destination null 0 usually means the packets for the flow are not switched out the box. NetFlow also run's before other features in the switching path and may not be aware of loopback 0 and reports null.
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of news.gmane.org
> Sent: Thursday, February 23, 2006 1:37 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Netflow & NAT problem
>
> Hello,
>
> Have some problem with Cisco 3640 with Netflow working when NAT used.
>
> cisco-3640#sh ver
> Cisco Internetwork Operating System Software
> IOS (tm) 3600 Software (C3640-IO3-M), Version 12.2(32), RELEASE SOFTWARE
> (fc1)
> Copyright (c) 1986-2005 by cisco Systems, Inc.
> Compiled Fri 02-Dec-05 15:19 by
> Image text-base: 0x60008930, data-base: 0x60A88000
>
> ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE
> SOFTWARE (fc1)
>
> cisco-3640 uptime is 4 hours, 3 minutes
> System returned to ROM by reload
> System image file is "flash:c3640-io3-mz.122-32.bin"
>
> cisco 3640 (R4700) processor (revision 0x00) with 61440K/4096K bytes of
> memory.
> Processor board ID 21961002
> R4700 CPU at 100Mhz, Implementation 33, Rev 1.0
> Bridging software.
> X.25 software, Version 3.0.0.
> 2 Ethernet/IEEE 802.3 interface(s)
> 1 FastEthernet/IEEE 802.3 interface(s)
> 2 Serial network interface(s)
> DRAM configuration is 64 bits wide with parity disabled.
> 125K bytes of non-volatile configuration memory.
> 8192K bytes of processor board System flash (Read/Write)
>
> Configuration register is 0x2102
>
> When i use debug ip policy i see, that my route map is work and all NAT
> traffic go to Loopback0, where i must it see in NetFlow (as comming to
> interface)
>
> 04:04:36: IP: s=66.225.214.106 (Ethernet0/0), d=192.168.23.15, len 40,
> policy match
> 04:04:36: IP: route map netflow_nat, item 10, permit
> 04:04:36: IP: s=66.225.214.106 (Ethernet0/0), d=192.168.23.15
> (Loopback0), len 40, policy routed
> 04:04:36: IP: Ethernet0/0 to Loopback0 192.168.23.15
>
> But as you can see, i have Null instead of Loopback0 in DstInt:
>
> а cisco-3640#sh ip cache flow | include 66.225.214.106
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 100C
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 100F
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 1008
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 1007
> 3
> Et0/1 192.168.23.15 Et0/0 66.225.214.106 06 0F57 22B8
> 22
> Et0/0 66.225.214.106 Null 192.168.23.15 06 22B8 0F57
> 25
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0EAA
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0EA6
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0EE3
> 6
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0EC3
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0E71
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FA9
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FBB
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F8C
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F8F
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F98
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F94
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FEF
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FE7
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FE3
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FF2
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FF3
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FCF
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FC5
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0FD4
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F1C
> 9
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F19
> 6
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F1A
> 4
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F6A
> 3
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F64
> 4
> Et0/0 66.225.214.106 Null 192.168.23.15 06 0050 0F7F
> 3
>
> Also show my config, maybe somebody know what i can do with that.
>
> Current configuration : 12674 bytes
> !
> version 12.2
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname cisco-3640
> !
> boot system flash c3640-io3-mz.122-32.bin
> no logging console guaranteed
> aaa new-model
> !
> ip subnet-zero
> no ip rcmd domain-lookup
> ip rcmd rsh-enable
> ip flow-cache entries 4094
> ip flow-cache timeout inactive 240
> ip flow-cache timeout active 45
> ip cef
> !
> !
> ip audit notify log
> ip audit po max-events 100
> !
> !
> !
> interface Loopback0
> ip address 193.xxx.xxx.225 255.255.255.255
> no ip unreachables
> no ip proxy-arp
> ip route-cache flow
> no ip mroute-cache
> no keepalive
> !
> interface Tunnel0
> ip address 192.168.200.1 255.255.255.0
> ip access-group 199 in
> ip mtu 1470
> ip nat inside
> ip route-cache flow
> no ip mroute-cache
> tunnel source 172.16.1.1
> tunnel destination 172.16.0.1
> tunnel mode ipip
> !
> interface Ethernet0/0
> ip address 172.16.1.1 255.255.255.0 secondary
> ip address 195.xxx.xxx.66 255.255.255.192
> ip access-group 199 in
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip route-cache flow
> no ip mroute-cache
> ip policy route-map netflow_nat
> no keepalive
> half-duplex
> no cdp enable
> !
> interface Serial0/0
> no ip address
> shutdown
> !
> interface Ethernet0/1
> ip address 192.168.4.250 255.255.255.0 secondary
> ip address 193.xxx.xxx.253 255.255.255.252 secondary
> ip address 193.xxx.xxx.65 255.255.255.192
> ip access-group 199 in
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> rate-limit input access-group 115 96000 18000 36000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 117 256000 48000 96000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 119 64000 12000 24000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 121 96000 18000 36000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 123 96000 18000 36000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 125 96000 18000 36000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 127 96000 18000 36000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 129 64000 12000 24000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 131 64000 12000 24000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 135 64000 12000 24000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 137 128000 24000 48000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 139 64000 12000 24000 conform-action
> transmit exceed-action drop
> ip route-cache flow
> no ip mroute-cache
> no keepalive
> half-duplex
> traffic-shape group 116 96000 12000 12000 128
> traffic-shape group 118 256000 32000 32000 128
> traffic-shape group 120 64000 8000 8000 128
> traffic-shape group 122 96000 12000 12000 128
> traffic-shape group 124 96000 12000 12000 128
> traffic-shape group 126 96000 12000 12000 128
> traffic-shape group 128 96000 12000 12000 128
> traffic-shape group 130 64000 8000 8000 128
> traffic-shape group 132 64000 8000 8000 128
> traffic-shape group 136 64000 8000 8000 128
> traffic-shape group 138 128000 16000 16000 128
> traffic-shape group 140 64000 8000 8000 128
> no cdp enable
> !
> interface Serial0/1
> no ip address
> shutdown
> !
> interface FastEthernet2/0
> ip address 193.xxx.xxx.9 255.255.255.192
> ip access-group 199 in
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> rate-limit input access-group 111 512000 96000 192000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 113 96000 18000 36000 conform-action
> transmit exceed-action drop
> rate-limit input access-group 133 32000 6000 12000 conform-action
> transmit exceed-action drop
> ip route-cache flow
> no ip mroute-cache
> no keepalive
> speed 100
> full-duplex
> traffic-shape group 112 512000 32000 32000 512
> traffic-shape group 114 96000 12000 12000 128
> traffic-shape group 134 32000 4000 4000 128
> no cdp enable
> !
> ip nat inside source list 5 interface Ethernet0/0 overload
> ip nat inside source list 102 interface Ethernet0/0 overload
> ip flow-export source FastEthernet2/0
> ip flow-export version 5
> ip flow-export destination 193.xxx.xxx.1 2100
> ip classless
> no ip http server
> !
> access-list 5 permit 192.168.1.249
> access-list 5 permit 192.168.1.253
> access-list 5 permit 192.168.4.0 0.0.0.255
> access-list 5 permit 192.168.12.0 0.0.0.255
> access-list 5 permit 192.168.14.0 0.0.0.255
> access-list 5 permit 192.168.23.0 0.0.0.255
> access-list 5 permit 192.168.6.0 0.0.0.255
> access-list 5 permit 192.168.29.0 0.0.0.255
> access-list 5 permit 192.168.20.0 0.0.0.255
> access-list 5 permit 192.168.5.0 0.0.0.255
> access-list 5 permit 192.168.30.0 0.0.0.255
> access-list 102 permit ip any host 212.109.57.226
> access-list 102 permit ip any host 213.186.198.70
> access-list 102 permit ip any host 62.244.21.62
> access-list 102 permit ip any host 212.82.220.134
> access-list 103 permit ip any 192.168.0.0 0.0.255.255
> access-list 199 remark Zhashishaemsa ot nekotorih virusov
> access-list 199 deny tcp any any eq 135
> access-list 199 deny udp any any eq 135
> access-list 199 permit ip any any
> !
> route-map netflow_nat permit 10
> match ip address 103
> set interface Loopback0 Ethernet0/0
> !
> line con 0
> line aux 0
> line vty 0 4
> !
> end
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list