Netflow Traffic Analyzer only sees Public Address due to Router sitting in Front of ASA Firewall

Question

I am currently monitoring Traffic on a Cisco Router and have configured Netflow to work through the ASA to the NTA server on the INSIDE.

My problem is that I only see Public Addresses or NAT'ed addresses which does No good for trying to find out which inside address is using

the resources.

I need to know if anyone has found a work around configuration that allows me to see INSIDE PRivate addresses when the Router sits In Front of the ASA
when this happens all INSIDE IP addresses are NAT'ed and that is what shows up on the NTA

When the Router sits behind the Firewall life is good

It's more likely this issue is a design issue, but just wondering how many people stick their firewalls in front of their routers?

ddemetra · Answer

I had a similar problem when I setup Netflow on my ASA's.

ASA's were sending back netflow data on incorrect interfaces. To fix this I discovered the ASA's, and then added all interfaces into the monitoring (EVEN the down interfaces!!)

Afterwards, all the Netflow data was shown.

This might be your problem as well

oceann23 · Answer

This is exactly what I had to do, however it appears that the Netflow traffic is not as accurate, there is data missing when looking at graphs, but I don't know if thats an ASA Netflow thing
Netflow was recently added to 8.2 code which is not that old, it's relatively new so maybe they are still working out the details.

I will have to go with another tool or something that uses Monitor Ports, Anyone have suggestions on tools that work in a scenario such as this?

Donald_Francis · Answer

I am not sure there is anything you can do about the router. By the time the router sees the traffic the NAT'ing has been completed and their is no record of the NAT'ing except form the device doing the NAT'ing.

You could however put the ASA on 8.2 or higher code and have the ASA send the flows and then you would be able to see the internal addresses.