NetFlow and NAT – How can I see the true source/destination address?

No matter what Cisco NetFlow collector software you may be running, you may have noticed that when your firewall NATs an address, it becomes the source or destination within your flows, and thus makes NetFlow a lot less useful.

Let me provide you with an example in Scrutinizer.

Note the series of conversations coming in from the web, as shown above, and how the destinations all show the NAT address of 66.186.x.x.

Let’s look at the traffic coming from host vs.mcafeeasap.com. How can we find out who the destination host is within our network that is generating this traffic?

First things first; these conversations are from records generated by the Internet router. Since the traffic by this time has already been NATTED, we should find this traffic before it hits the router…

So let’s go to my internal switch.

Once on my internal switch, I did a filter search for this host and generated a series of conversations from vs.mcafeeasap.com.  Since this was a McAfee update, there were a LOT of internal conversations, to say the least. But as you can see, you have both the source host and destination, without the NAT address getting in the way.

How did I do that filter search? In the top right corner of the Scrutinizer GUI, you have the binoculars icon that look like this:

When you click on the binoculars, you get a menu, as shown below. Within this menu, you can do a search for all conversations, where the source or destination is a specific IP address.

So as you can see in this menu, I am doing a search by an IP on my internal switch. The IP that I specified was the IP of the McAfee host.

The search results produced all the flow records, where McAfee was either the source or destination. Now, the decision is up to me, as to which I need to see.

I really hope this helps everyone out there, and not just our Scrutinizer customers. Just understand that the flows are there, you just can’t look at your Internet router if you need the details.