No matter what Cisco NetFlow collector software you may be running, you may have noticed that when your firewall NATs an address, it becomes the source or destination within your flows, and thus makes NetFlow a lot less useful.
Let me provide you with an example in Scrutinizer.
Note the series of conversations coming in from the web, as shown above, and how the destinations all show the NAT address of 66.186.x.x.
Let’s look at the traffic coming from host vs.mcafeeasap.com. How can we find out who the destination host is within our network that is generating this traffic?
First things first; these conversations are from records generated by the Internet router. Since the traffic by this time has already been NATTED, we should find this traffic before it hits the router…
So let’s go to my internal switch.