NAT (Network Address Translation) helps to map many Private IP address into a single public address and send the information to the internet. So your LAN IP address will be hidden from the WAN. When there is traffic from your LAN to WAN, the source IP addresses will be changed while NATing, and vise-versa traffic the destination IP will be changed:
If you are exporting NetFlow packets from the router using ‘IP route-cache flow’ or ‘IP flow ingress’ you cannot view the WAN – LAN IP addresses in the WAN interface, instead you can only view WAN – NAT IP addresses.
This is because when you enable ‘IP route-cache flow’ or ‘IP flow ingress’ it will be accounting IN traffic, for example: you have 2 interfaces in a router and you have enable ‘IP flow ingress’ in the WAN interface. Then the NetFlow packets will be accounting IN traffic for WAN and OUT traffic for LAN.
As it accounts IN traffic it will have the information of source IP address which would be website IP and the destination as your WAN IP(before natting take place). For example, a Host A is communicating to Facebook and you are monitoring the WAN interface. You can view the traffic Source is been Facebook and destination will be your WAN IP address. The following diagram should explain you better.
To view the internal IP addresses the only option is to enable ‘IP flow egress’ on all the interfaces to view the correct stats. ‘IP flow egress’ will account OUT traffic of interface, ie it will account the OUT Traffic for LAN and IN traffic for WAN. This will display the Facebook IP and Host A IP Address.
Arun Karthik Asokan
NetFlow Analyzer Technical Team
Download | Interactive Demo | Twitter | Customers