Nagios Support Forum

I am facing an issue with Nagios Network analyzer, we have 10.88.0.0 range in LAN segment and this IP is Nated in our cisco asafirewall (lan segment to outside interface nat). we have configured cisco ASA firewall in nagios network analyzer netflow.

10.88.0.0/16 range IPs are not visible in netflow monitoring logs.

Is there any configuration or update we have to do or its common behavior or Nagios network analyzer.

Please suggest.

Are you seeing the NATted IP in the flows?

we cant see any hits from that IP

Yea, i can see the NATed IP in destination ip column and source are all public IPs, not our LAN subnet IPs

ssax wrote:Are you seeing the NATted IP in the flows?

Yea, we can see the NATed IP in destination column and all the source IPs are public iPs not our LAN subnets.

The Nagios Network Analyzer displays the data it receives but I am guessing that your device is only sending on the NATed data and not the original IP addresses.
If your device supports sending 2 flows at the same time, you could create a separate source on the inside interface and send that to the NNA server and you should see that data on the separate source.

tgriep wrote:The Nagios Network Analyzer displays the data it receives but I am guessing that your device is only sending on the NATed data and not the original IP addresses.
If your device supports sending 2 flows at the same time, you could create a separate source on the inside interface and send that to the NNA server and you should see that data on the separate source.

This device is cisco ASA and we are doing the NATing on this device for sending data from inside to outside. last sentence is not clear Could you please elaborate it please, how we can create separate source.

I am guessing that you have setup the ASA to send the flow data statistics for the the outside interface of the firewall.
With the IP addresses getting NATed, The flow data probably only has the NATed data.
If you want to view the IP addresses before they are NATed, you can setup the inside interface to send the flow data to the NNA server.

If the ASA supports it, it will be sending the flow statistics for both the inside interface and the outside interface at the same time to the NNA server.
That way you can see the data for the original IP address.

Not all devices support sending 2 sets of flow traffic and you would have to see if it does and see it Cisco has the specs and documentation to do this.

tgriep wrote:I am guessing that you have setup the ASA to send the flow data statistics for the the outside interface of the firewall.
With the IP addresses getting NATed, The flow data probably only has the NATed data.
If you want to view the IP addresses before they are NATed, you can setup the inside interface to send the flow data to the NNA server.

Id the ASA supports it, it will be sending the flow statistics for both the inside interface and the outside interface at the same time to the NNA server.
That way you can see the data for the original IP address.

Not all devices support sending 2 sets of flow traffic and you would have to see if it does and see it Cisco has the specs and documentation to do this.

Could you please provide little more details about this line "you can setup the inside interface to send the flow data to the NNA server." how to configure this, could you please provide an documentation.

I did a few minutes of research and it looks like the ASA's cannot be configured to have 2 separate flows so doing that cannot be done.

You original issue could be a configuration issue and this link from Cisco has instructions on setting up NetFlow using the ADSM.
https://community.cisco.com/t5/security ... -p/3119466

These are the instructions from Nagios for setting up the device using the CLI.
https://assets.nagios.com/downloads/nag ... alyzer.pdf

Cisco Netflow Guide
https://www.cisco.com/c/en/us/td/docs/s ... tflow.html