- Posts: 3
- Thank you received: 0
Firewall problem for Port 2055 for Netflow
- robertcabiyaan
- Topic Author
- Offline
- New Member
Less
More
15 years 6 months ago #30241
by robertcabiyaan
Firewall problem for Port 2055 for Netflow was created by robertcabiyaan
Hi there,
I have installed Solarwinds and i need to gather information from my router behind the firewall. Netflow is already activated from cisco 2800 target is 192.168.144.15 2055. Its not reaching the netflow server because of firewall maybe.
THESE ARE MY CISCO 2800 CONFIGURATION
Current configuration : 2863 bytesiguration...byte ICMP Ech
ip s
Fa0
!
version 12.4e admin secr
service timestamps debug datetime msec67
!c
version 12.4
!
!
ser
service timestamps log datetime msec $1$vW5E$CDI4u.6UjQXtBFpX5TSSC.6.83.
no service password-encryptione msec6 0019 635B
username w
!l
hostname GulfFarabi 5 $1$Q5in$zTa9U1cv
!r
boot-start-marker 5 $
p
F
!/
hos
boot-end-marker1.141 Fa0/1
!
logging buffered 4096 informational15 secret 5 $1$NOYZ$yOz7ZxL8LKMxJG4
no logging console 4096 debuggingnt
enable secret 5 $1$Th7y$zOvIJSeJOKli6yoRbvLGv/
interface FastEthernet0/0ecret 5 $1$Th7y$zOv
!S
aaa new-modelon WANtatisti
!
!o
!.
aaa session-id common0.98 255.255.255.252l
!
resource policy
!0
aaa session
!d
mmi polling-interval 60 in
!
resource policy
no mmi auto-configureowolling-interval 60
no mmi pvc0
Fa
mmi snmp-timeout 180re26
!F
interface F
ip subnet-zero
ip ce
ip route-cache flowy0E7D 24 ava
ip
speed 100ss-list 11
full-duplexso
speed 10
!f
interface FastEthernet0/1emark Auto generated by S
description $ETH-LAN$ature 06 01B
ip addr
ip address 212.xx.xx.225 255.255.255.248 secondary
access-list 100 remark SDM_ACL Category=1 ip addr
ip address 212.xx.xx.65 255.255.255.240list 100 permit udp host 192.168.144.15
ip access-group 100 inpap
duplex autoou
ip route-cache flowo212.xx.xx.2
!
inte
duplex autoess-list 100
speed autoany host 21
!7
interface Serial0/1/0down debug da
clockr
no ip address/5)
r
shutdown-list 100
clockrate 2000000t 212.xx.xx.65 eq
!0
ip classless0 41
T
ip route 0.0.0.0 0.0.0.0 10.100.100.97t 100 deny tcp any host 212.76.83.65
ip flow-export source FastEthernet0/0 80.88.132.10
ip flow-
access-list
ip flow-export version 512.76.83.65 eq 443096 de
ip flow-export destination 192.168.144.15 2055.7
access-list 100 deny tcp any 19
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 192.168.144.15 host 10.100.100.98 eq snmp
access-list 101 deny tcp any host 10.100.100.98 eq telnet
access-list 101 deny tcp any host 10.100.100.98 eq 22
access-list 101 deny tcp any host 10.100.100.98 eq www
access-list 101 deny tcp any host 10.100.100.98 eq 443
access-list 101 deny tcp any host 10.100.100.98 eq cmd
access-list 101 deny udp any host 10.100.100.98 eq snmp
access-list 101 permit ip any any
snmp-server community farabi RO 11
snmp-server ifindex persist
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end
AND THESE ARE MY ASA5510 CONFIGURATION
GulfFarabi#show run6.68.201 percent (0
Building configuration...ame salah secret 5 $1$T1x
Current configuration : 2863 bytesiguration...byte ICMP Ech
ip s
Fa0
!
version 12.4e admin secr
service timestamps debug datetime msec67
!c
version 12.4
!
!
ser
service timestamps log datetime msec $1$vW5E$CDI4u.6UjQXtBFpX5TSSC.6.83.
no service password-encryptione msec6 0019 635B
username w
!l
hostname GulfFarabi 5 $1$Q5in$zTa9U1cv
!r
boot-start-marker 5 $
p
F
!/
hos
boot-end-marker1.141 Fa0/1
!
logging buffered 4096 informational15 secret 5 $1$NOYZ$yOz7ZxL8LKMxJG4
no logging console 4096 debuggingnt
enable secret 5 $1$Th7y$zOvIJSeJOKli6yoRbvLGv/
interface FastEthernet0/0ecret 5 $1$Th7y$zOv
!S
aaa new-modelon WANtatisti
!
!o
!.
aaa session-id common0.98 255.255.255.252l
!
resource policy
!0
aaa session
!d
mmi polling-interval 60 in
!
resource policy
no mmi auto-configureowolling-interval 60
no mmi pvc0
Fa
mmi snmp-timeout 180re26
!F
interface F
ip subnet-zero
ip ce
ip route-cache flowy0E7D 24 ava
ip
speed 100ss-list 11
full-duplexso
speed 10
!f
interface FastEthernet0/1emark Auto generated by S
description $ETH-LAN$ature 06 01B
ip addr
ip address 212.xx.xx.225 255.255.255.248 secondary
access-list 100 remark SDM_ACL Category=1 ip addr
ip address 212.xx.xx.65 255.255.255.240list 100 permit udp host 192.168.144.15
ip access-group 100 inpap
duplex autoou
ip route-cache flowo212.76.73.2
!
inte
duplex autoess-list 100
speed autoany host 21
!7
interface Serial0/1/0down debug da
clockr
no ip address/5)
r
shutdown-list 100
clockrate 2000000t 212.76.83.65 eq
!0
ip classless0 41
T
ip route 0.0.0.0 0.0.0.0 10.100.100.97t 100 deny tcp any host 212.76.83.65
ip flow-export source FastEthernet0/0 80.88.132.10
ip flow-
access-list
ip flow-export version 512.76.83.65 eq 443096 de
ip flow-export destination 192.168.144.15 2055.7
access-list 100 deny tcp any 19
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 192.168.144.15 host 10.100.100.98 eq snmp
access-list 101 deny tcp any host 10.100.100.98 eq telnet
access-list 101 deny tcp any host 10.100.100.98 eq 22
access-list 101 deny tcp any host 10.100.100.98 eq www
access-list 101 deny tcp any host 10.100.100.98 eq 443
access-list 101 deny tcp any host 10.100.100.98 eq cmd
access-list 101 deny udp any host 10.100.100.98 eq snmp
access-list 101 permit ip any any
snmp-server community farabi RO 11
snmp-server ifindex persist
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end
SOLARWINDS SAYS I ONLY NEED TO ALLOW PORT 2055 TO MY ASA5510.
Thanks in advance.
I have installed Solarwinds and i need to gather information from my router behind the firewall. Netflow is already activated from cisco 2800 target is 192.168.144.15 2055. Its not reaching the netflow server because of firewall maybe.
THESE ARE MY CISCO 2800 CONFIGURATION
Current configuration : 2863 bytesiguration...byte ICMP Ech
ip s
Fa0
!
version 12.4e admin secr
service timestamps debug datetime msec67
!c
version 12.4
!
!
ser
service timestamps log datetime msec $1$vW5E$CDI4u.6UjQXtBFpX5TSSC.6.83.
no service password-encryptione msec6 0019 635B
username w
!l
hostname GulfFarabi 5 $1$Q5in$zTa9U1cv
!r
boot-start-marker 5 $
p
F
!/
hos
boot-end-marker1.141 Fa0/1
!
logging buffered 4096 informational15 secret 5 $1$NOYZ$yOz7ZxL8LKMxJG4
no logging console 4096 debuggingnt
enable secret 5 $1$Th7y$zOvIJSeJOKli6yoRbvLGv/
interface FastEthernet0/0ecret 5 $1$Th7y$zOv
!S
aaa new-modelon WANtatisti
!
!o
!.
aaa session-id common0.98 255.255.255.252l
!
resource policy
!0
aaa session
!d
mmi polling-interval 60 in
!
resource policy
no mmi auto-configureowolling-interval 60
no mmi pvc0
Fa
mmi snmp-timeout 180re26
!F
interface F
ip subnet-zero
ip ce
ip route-cache flowy0E7D 24 ava
ip
speed 100ss-list 11
full-duplexso
speed 10
!f
interface FastEthernet0/1emark Auto generated by S
description $ETH-LAN$ature 06 01B
ip addr
ip address 212.xx.xx.225 255.255.255.248 secondary
access-list 100 remark SDM_ACL Category=1 ip addr
ip address 212.xx.xx.65 255.255.255.240list 100 permit udp host 192.168.144.15
ip access-group 100 inpap
duplex autoou
ip route-cache flowo212.xx.xx.2
!
inte
duplex autoess-list 100
speed autoany host 21
!7
interface Serial0/1/0down debug da
clockr
no ip address/5)
r
shutdown-list 100
clockrate 2000000t 212.xx.xx.65 eq
!0
ip classless0 41
T
ip route 0.0.0.0 0.0.0.0 10.100.100.97t 100 deny tcp any host 212.76.83.65
ip flow-export source FastEthernet0/0 80.88.132.10
ip flow-
access-list
ip flow-export version 512.76.83.65 eq 443096 de
ip flow-export destination 192.168.144.15 2055.7
access-list 100 deny tcp any 19
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 192.168.144.15 host 10.100.100.98 eq snmp
access-list 101 deny tcp any host 10.100.100.98 eq telnet
access-list 101 deny tcp any host 10.100.100.98 eq 22
access-list 101 deny tcp any host 10.100.100.98 eq www
access-list 101 deny tcp any host 10.100.100.98 eq 443
access-list 101 deny tcp any host 10.100.100.98 eq cmd
access-list 101 deny udp any host 10.100.100.98 eq snmp
access-list 101 permit ip any any
snmp-server community farabi RO 11
snmp-server ifindex persist
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end
AND THESE ARE MY ASA5510 CONFIGURATION
GulfFarabi#show run6.68.201 percent (0
Building configuration...ame salah secret 5 $1$T1x
Current configuration : 2863 bytesiguration...byte ICMP Ech
ip s
Fa0
!
version 12.4e admin secr
service timestamps debug datetime msec67
!c
version 12.4
!
!
ser
service timestamps log datetime msec $1$vW5E$CDI4u.6UjQXtBFpX5TSSC.6.83.
no service password-encryptione msec6 0019 635B
username w
!l
hostname GulfFarabi 5 $1$Q5in$zTa9U1cv
!r
boot-start-marker 5 $
p
F
!/
hos
boot-end-marker1.141 Fa0/1
!
logging buffered 4096 informational15 secret 5 $1$NOYZ$yOz7ZxL8LKMxJG4
no logging console 4096 debuggingnt
enable secret 5 $1$Th7y$zOvIJSeJOKli6yoRbvLGv/
interface FastEthernet0/0ecret 5 $1$Th7y$zOv
!S
aaa new-modelon WANtatisti
!
!o
!.
aaa session-id common0.98 255.255.255.252l
!
resource policy
!0
aaa session
!d
mmi polling-interval 60 in
!
resource policy
no mmi auto-configureowolling-interval 60
no mmi pvc0
Fa
mmi snmp-timeout 180re26
!F
interface F
ip subnet-zero
ip ce
ip route-cache flowy0E7D 24 ava
ip
speed 100ss-list 11
full-duplexso
speed 10
!f
interface FastEthernet0/1emark Auto generated by S
description $ETH-LAN$ature 06 01B
ip addr
ip address 212.xx.xx.225 255.255.255.248 secondary
access-list 100 remark SDM_ACL Category=1 ip addr
ip address 212.xx.xx.65 255.255.255.240list 100 permit udp host 192.168.144.15
ip access-group 100 inpap
duplex autoou
ip route-cache flowo212.76.73.2
!
inte
duplex autoess-list 100
speed autoany host 21
!7
interface Serial0/1/0down debug da
clockr
no ip address/5)
r
shutdown-list 100
clockrate 2000000t 212.76.83.65 eq
!0
ip classless0 41
T
ip route 0.0.0.0 0.0.0.0 10.100.100.97t 100 deny tcp any host 212.76.83.65
ip flow-export source FastEthernet0/0 80.88.132.10
ip flow-
access-list
ip flow-export version 512.76.83.65 eq 443096 de
ip flow-export destination 192.168.144.15 2055.7
access-list 100 deny tcp any 19
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 192.168.144.15 host 10.100.100.98 eq snmp
access-list 101 deny tcp any host 10.100.100.98 eq telnet
access-list 101 deny tcp any host 10.100.100.98 eq 22
access-list 101 deny tcp any host 10.100.100.98 eq www
access-list 101 deny tcp any host 10.100.100.98 eq 443
access-list 101 deny tcp any host 10.100.100.98 eq cmd
access-list 101 deny udp any host 10.100.100.98 eq snmp
access-list 101 permit ip any any
snmp-server community farabi RO 11
snmp-server ifindex persist
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
end
SOLARWINDS SAYS I ONLY NEED TO ALLOW PORT 2055 TO MY ASA5510.
Thanks in advance.
15 years 6 months ago #30251
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Firewall problem for Port 2055 for Netflow
The ASA5510 config you posted does not seam to be an ASA config. It looks like it's an exact copy of the 2863 router config. Did you forget to copy/paste the ASA's config?
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
- robertcabiyaan
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
15 years 6 months ago #30255
by robertcabiyaan
Replied by robertcabiyaan on topic Re: Firewall problem for Port 2055 for Netflow
Sorry ....
here is the ASA 5510 configuration. And thanks for your reply.
ASA Version 7.0(4)
!
hostname ciscoasa
domain-name gulffarabi.com
enable password PVSASRJovmamnVkD encrypted
names
name 10.0.0.65 gf-jub-isa description ISA Proxy
name 192.168.144.32 gf-jub-ehc01 description Exchange Hub and Cas
name 10.0.0.66 gf-jub-irm description Iron Mail
name 192.168.144.29 beserver description black berry Server
name 192.168.144.23 gfpcproxy description Bluecoat Proxy
name 192.168.144.16 avserver description Anti Virus Server
name 212.xx.xx.71 PublicSMTP description Mx Recourds
name 212.xx.xx.70 PublicWebMail description WebMail Connection
name 212.xx.xx.227 PublicBlackBeery description Black Beery Connection
name 192.168.145.87 internet_workstation
name 192.168.144.33 gf-jub-mbs01 description ExchangeMailBox01
name 192.168.144.34 gf-jub-mbs02 description ExchangeMailBox02
name 192.168.145.93 internet
name 192.168.144.5 gf-jub-rdc01 description Root Domain Controller
name 212.xx.xx.42 SMTP_SmartHost description Sahara Smart Host
name 192.168.144.3 gf-jub-adc01
name 192.168.144.36 gf-jub-sccm description SCCM_Server
name 192.168.144.4 FAS270
name 192.168.144.37 gf-jub-prnt description Print server
name 192.168.145.56 pc
name 192.168.145.24 OrionDemo description Solar Winds NMT
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 212.xx.xx.226 255.255.255.248
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 10.0.0.21 255.255.255.0
!
interface Ethernet0/2
nameif Inside
security-level 100
ip address 192.168.144.21 255.255.255.0
!
interface Management0/0
nameif management
security-level 80
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd PVSASRJovmamnVkD encrypted
ftp mode passive
<--- More --->
here is the ASA 5510 configuration. And thanks for your reply.
ASA Version 7.0(4)
!
hostname ciscoasa
domain-name gulffarabi.com
enable password PVSASRJovmamnVkD encrypted
names
name 10.0.0.65 gf-jub-isa description ISA Proxy
name 192.168.144.32 gf-jub-ehc01 description Exchange Hub and Cas
name 10.0.0.66 gf-jub-irm description Iron Mail
name 192.168.144.29 beserver description black berry Server
name 192.168.144.23 gfpcproxy description Bluecoat Proxy
name 192.168.144.16 avserver description Anti Virus Server
name 212.xx.xx.71 PublicSMTP description Mx Recourds
name 212.xx.xx.70 PublicWebMail description WebMail Connection
name 212.xx.xx.227 PublicBlackBeery description Black Beery Connection
name 192.168.145.87 internet_workstation
name 192.168.144.33 gf-jub-mbs01 description ExchangeMailBox01
name 192.168.144.34 gf-jub-mbs02 description ExchangeMailBox02
name 192.168.145.93 internet
name 192.168.144.5 gf-jub-rdc01 description Root Domain Controller
name 212.xx.xx.42 SMTP_SmartHost description Sahara Smart Host
name 192.168.144.3 gf-jub-adc01
name 192.168.144.36 gf-jub-sccm description SCCM_Server
name 192.168.144.4 FAS270
name 192.168.144.37 gf-jub-prnt description Print server
name 192.168.145.56 pc
name 192.168.145.24 OrionDemo description Solar Winds NMT
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 212.xx.xx.226 255.255.255.248
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 10.0.0.21 255.255.255.0
!
interface Ethernet0/2
nameif Inside
security-level 100
ip address 192.168.144.21 255.255.255.0
!
interface Management0/0
nameif management
security-level 80
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd PVSASRJovmamnVkD encrypted
ftp mode passive
<--- More --->
- robertcabiyaan
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
15 years 6 months ago #30291
by robertcabiyaan
Replied by robertcabiyaan on topic Re: Firewall problem for Port 2055 for Netflow
any solutions yet ?....thanks again....
15 years 6 months ago #30294
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Firewall problem for Port 2055 for Netflow
robertcabiyaan, The config you posted for ASA 5510 is partial. Better post the full config of the device so that we can have a full picture and help you better. For a starter, you might need an access-list and a port forward static map put on the ASA to enable your Outside to talk to your Inside interface.
One other thing here, I'm not sure I can see the IP (of the Netflow) 192.168.144.15 put on any interface of the 2800. Are you sure the config you placed is full, also some lines seems strange!!, for example these one:
[code:1]ip address 212.xx.xx.65 255.255.255.240list 100 permit udp host 192.168.144.15[/code:1]
and this:
[code:1]ip addr[/code:1]
One other thing here, I'm not sure I can see the IP (of the Netflow) 192.168.144.15 put on any interface of the 2800. Are you sure the config you placed is full, also some lines seems strange!!, for example these one:
[code:1]ip address 212.xx.xx.65 255.255.255.240list 100 permit udp host 192.168.144.15[/code:1]
and this:
[code:1]ip addr[/code:1]
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
15 years 4 months ago #31082
by Dimitri
Replied by Dimitri on topic Config to get Netflow from outside of firewall
From what I have found, you need to create an IP outside the firewall, to NAT inside
itknowledgeexchange.techtarget.com/netwo...d-in-inside-network/
Good luck
Dimitri
itknowledgeexchange.techtarget.com/netwo...d-in-inside-network/
Good luck
Dimitri
Time to create page: 0.142 seconds