Hi all. I am rather inexperienced Orion/Netflow user. I downloaded the trial version and installed the full suite on a desktop placed outside our firewall. I collected Netflow data (v.5) just fine. However, the goal is to collect it from inside our network before the firewall. The firewall is many-to-one NATting everything. This seems to be the only difference. I had the firewall ports opened 2055 and 9996 (I believe), 161, etc. I can add the device but it still shows "down". It shows the router (a Cisco 2821) as being a netflow source, and my router is indeed configured and set up to send to the collector.
What is happening? I have searched for days and cant' seem to find the answer. I even changed to version 9 on the router to see if that would help (I heard v9 is configured to work with NAT)....
Any help would be appreciated.
You'll need to set the NetFlow destination to be the external interface of your firewall, then create a firewall port forward for UDP port 2055 to forward to the machine where Orion NetFlow Traffic Analyzer is installed. You'll still need add the router and monitor its interfaces with Orion NPM (Network Performance Monitor) but you shouldn't need any special port/address translations for that to happen.
Depending on your firewall you may need to allow the traffic through the firewall. You'll need to allow UDP port 161 bidirectionally to/from your Orion server and the router that's sending the netflow data. You'll also want to allow ICMP echo request from the Orion server to your Netflow router, and accept the ICMP echo reply packets back through the firewall from your netflow router to your Orion server. Additionally you might need to allow UDP port 2055 to the the firewall for the port forwarding to work properly.
That is a really geat response! Some I had already tried, but the idea of sending the netflow to the firewall interface did not come to mind. Would this not render this port a mirror port? When spanning or port mirroring in Cisco IOS the destination port is no longer switchable or routable. It just copies packets. Just a little nervous..........
Because the firewall is doing NAT there's no direct route from the router to the server running NTA so these packets need to be port forwarded through the firewall to the Orion server to get to the flows to NTA. This is the reason you'll need to set the netflow destination on the Cisco router as the firewall itself. Ultimately these packets should be redirected/forwarded to the appropriate destination by the firewall so it's just semantics.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.