We use Cisco ISR's at the edge of all our locations and they also perform NAT/PAT. Since enabling Netflow, I've realized that all ingress data shows as going to the public IP on the ISR and is NOT broken down by the internal IP's that may be responsible for that flow.
This has been brought up before but I didn't see an answer.
I found the following link:
https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/Cisco_NetFlow_Configuration.pdf
"If the ASR is being used for NAT and you would like to log the NAT translations within StealthWatch, run the following command:
ip nat log translations flow-export v9 udp destination X.X.X.X YYYY
Where X.X.X.X is the FlowCollector IP and YYYY is the configured NetFlow Export port."
I'm wondering if anyone else has tried this setting and if Solarwinds NTA would provide Netflow data for top talkers both inbound and outbound that reflected the private internal IP instead of the single NAT'd public IP.
I've enabled it on one of my ISR's and will report back if I notice anything useful.
-Brian
