Unable to export Netflow Data over IPSec VPN Tunnel

Discussion in 'Cisco' started by greggm, Aug 2, 2005.

  1. greggm

    greggm Guest

    I'm having problems exporting Netflow data from a Cisco 831 to a
    Netflow collector that sits on the other side of a VPN tunnel at my
    central site. Here is portions of the config.

    The Netflow collector is addressed as 192.168.0.100 and the Cisco 831
    is set to"ip flow-export source Ethernet0", "ip flow-export
    destination 192.168.0.100 9996" What I'm see is the access-list 101 is
    blocking the router from sending the data to 192.168.0.100.

    Here is the log message on the Cisco 831 (192.168.2.1) when it exports
    the Netflow data to the collector (192.168.0.100):
    000075: *Feb 28 19:27:04.841 PCTime: IPFLOW: Sending export pak to
    192.168.0.100 port 9996 0
    000076: *Feb 28 19:27:04.843 PCTime: %SEC-6-IPACCESSLOGP: list 101
    denied udp 192.168.2.1(0) -> 192.168.0.100(0), 2 packets

    One interesting note is that syslog messages "logging source-interface
    Ethernet0, logging 192.168.0.100" works great and syslog messages are
    showing up on the 192.168.0.100 server with no problem. It too uses the
    same Cisco 831 VPN tunnel to my central site. Is this an IOS bug or I'm
    I configuring something totally wrong? I've been banging my head on
    this problem for weeks now...
    Has anyone seen this problem before? Here is a portion of the config on
    the Cisco 831 router:

    boot system flash c831-k9o3y6-mz.123-8.T8.bin

    crypto keyring site2site
    pre-shared-key address 192.168.1.102 key xxxx
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group remote-clients
    key axaxa
    pool SDM_POOL_1
    acl 104
    max-logins 1
    crypto isakmp profile site-to-site
    description Site to site VPN Tunnel profile connection
    keyring site2site
    match identity address 192.168.1.102 255.255.255.255
    keepalive 60 retry 5
    crypto isakmp profile vpnclients
    description VPN Clients profile connection
    match identity group remote-clients
    client authentication list vpnclientauth
    isakmp authorization list vpngroupauth
    client configuration address respond
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec fragmentation after-encryption
    crypto ipsec df-bit clear
    !
    crypto dynamic-map SDM_DYNMAP_1 2
    set transform-set ESP-3DES-SHA
    set isakmp-profile vpnclients
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    set peer 192.168.1.102
    set transform-set ESP-3DES-SHA
    set isakmp-profile site-to-site
    match address 100
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface Ethernet0
    description Inside Default
    Gateway$ES_LAN$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet
    10/100$$FW_INSIDE$
    ip address 192.168.2.1 255.255.255.0
    ip access-group 102 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    no cdp enable
    !
    interface Ethernet1
    description Outside$ES_WAN$$ETH-WAN$$FW_OUTSIDE$
    ip address dhcp client-id Ethernet1
    ip access-group 103 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect DEFAULT100 out
    ip ips sdm_ips_rule in
    ip ips sdm_ips_rule out
    ip virtual-reassembly
    ip route-cache flow
    duplex full
    no cdp enable
    crypto map SDM_CMAP_1
    !

    ip classless
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip flow-export source Ethernet0
    ip flow-export version 5
    ip flow-export destination 192.168.0.100 9996
    ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
    !
    !
    logging trap debugging
    logging source-interface Ethernet0
    logging 192.168.0.100
    access-list 1 remark INSIDE_IF=Ethernet0
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.2.0 0.0.0.255 log
    access-list 100 remark SDM_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    log
    access-list 101 remark SDM_ACL Category=2
    access-list 101 deny ip 192.168.2.0 0.0.0.255 host 192.168.20.1
    access-list 101 remark IPSec Rule
    access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
    log
    access-list 101 permit ip 192.168.2.0 0.0.0.255 any log
    access-list 102 remark auto generated by SDM firewall configuration
    access-list 102 remark SDM_ACL Category=1
    access-list 102 deny ip host 255.255.255.255 any
    access-list 102 deny ip 127.0.0.0 0.255.255.255 any
    access-list 102 permit ip any any
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 103 permit ip host 192.168.20.1 192.168.2.0 0.0.0.255
    access-list 103 remark Auto generated by SDM for NTP (123) 129.6.15.28
    access-list 103 permit udp host 129.6.15.28 eq ntp any eq ntp
    access-list 103 remark Auto generated by SDM for NTP (123) 129.6.15.29
    access-list 103 permit udp host 129.6.15.29 eq ntp any eq ntp
    access-list 103 permit ahp any any
    access-list 103 permit esp any any
    access-list 103 permit udp any any eq isakmp
    access-list 103 permit udp any any eq non500-isakmp
    access-list 103 remark IPSec Rule
    access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 103 deny ip 192.168.2.0 0.0.0.255 any
    access-list 103 permit udp any eq bootps any eq bootpc
    access-list 103 permit icmp any any echo-reply
    access-list 103 permit icmp any any time-exceeded
    access-list 103 permit icmp any any unreachable
    access-list 103 deny ip 10.0.0.0 0.255.255.255 any
    access-list 103 deny ip 172.16.0.0 0.15.255.255 any
    access-list 103 deny ip 192.168.0.0 0.0.255.255 any
    access-list 103 deny ip 127.0.0.0 0.255.255.255 any
    access-list 103 deny ip host 255.255.255.255 any
    access-list 103 deny ip any any log
    access-list 104 remark SDM_ACL Category=4
    access-list 104 permit ip 192.168.2.0 0.0.0.255 any
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 101
    !
    end
     
    greggm, Aug 2, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.