When monitoring an interface that is performing NAT, all of the netflow data appears to be generated after the NAT takes place. Is there any way around this?
The setup I have is a router with an internal interface with multiple VLANs on it, and an external interface that is connected to the Internet. When traffic flows from an internal VLAN to the Internet, it is NATed on the external interface. Netflow is reporting all the inbound traffic on the external interface as coming to the NAT address, which makes it difficult to know which internal host it is associated with. I suppose I could put the netflow collector on the internal interfaces, but that could get expensive since I'd burn a license for each VLAN.