multicasting across segments
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by PL on June 30, 2008, 2:10 pm
Please log in for more thread options two segments on an ASA5510 v8.0... I have been working on this for three days, and even got a whole team of Cisco support engineers involved without much success. Trying to configure multicasting to/from inside and dmz segments, needs to be bidirectional. Below is the starting config, but instead of posting everything we've tried, I'll just leave it open to start from scratch... Btw, for testing, we opened up the ACLs all the way as you can see below. interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.30.1 255.255.255.0 ! interface Ethernet0/3 nameif dmz2 security-level 3 ip address 192.168.105.1 255.255.255.0 ! access-list inside_acl extended permit ip any any access-list dmz2_acl extended permit ip any any access-list noNAT extended permit ip 192.168.30.0 255.255.255.0 192.168.105.0 255.255.255.0 access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0 192.168.30.0 255.255.255.0 ! access-group inside_acl in interface inside access-group dmz2_acl in interface dmz2 ! nat (inside) 0 access-list noNAT nat (inside) 1 0.0.0.0 0.0.0.0 nat (dmz2) 0 access-list dmz2-noNAT nat (dmz2) 3 0.0.0.0 0.0.0.0 ! global (outside) 1 [publicIPhidden] global (outside) 3 [publicIPhidden] ! | |||||||||||||
|
Posted by mcaissie on June 30, 2008, 3:24 pm
Please log in for more thread options We are talking here about having the multicast source directly on the inside or directly on the dmz2 right ? not x hops away ? Same thing for the client right ? Enabling multicast-routing was not enough to make it work. I had to add a static multicast route. (well two since the Source may be on either side) So here is my receipe 1- Enable multicast-routing multicast-routing 2- Create multicast routes mroute 192.168.105.0 255.255.255.0 inside dense dmz2 mroute 192.168.30.0 255.255.255.0 dmz2 dense inside 3- Allow multicast traffic in your acl your ok with your permit ip any any , but when you go more granular you will have to specify the destination IP address of the multicast source good luck | |||||||||||||
|
Posted by PL on June 30, 2008, 6:16 pm
Please log in for more thread options Hmmm... Are you sure that's all there was to it?
It's still not working :( You didn't need to define the "rp-address" or anything else like that? On Mon, 30 Jun 2008 19:24:52 GMT, "mcaissie" >I have it to work on 7.2(2).
> >We are talking here about having the multicast source directly on the >inside or directly >on the dmz2 right ? not x hops away ? > >Same thing for the client right ? > >Enabling multicast-routing was not enough to make it work. I had to add a >static multicast route. >(well two since the Source may be on either side) > >So here is my receipe > >1- Enable multicast-routing > >multicast-routing > >2- Create multicast routes > >mroute 192.168.105.0 255.255.255.0 inside dense dmz2 >mroute 192.168.30.0 255.255.255.0 dmz2 dense inside > >3- Allow multicast traffic in your acl > > your ok with your permit ip any any , but when you go more granular you >will >have to specify the destination IP address of the multicast source > > >good luck > > > > >> To anyone who has ever successfully configured multicasting between
>> two segments on an ASA5510 v8.0... >> >> I have been working on this for three days, and even got a whole team >> of Cisco support engineers involved without much success. >> >> Trying to configure multicasting to/from inside and dmz segments, >> needs to be bidirectional. >> >> Below is the starting config, but instead of posting everything we've >> tried, I'll just leave it open to start from scratch... Btw, for >> testing, we opened up the ACLs all the way as you can see below. >> >> interface Ethernet0/1 >> nameif inside >> security-level 100 >> ip address 192.168.30.1 255.255.255.0 >> ! >> interface Ethernet0/3 >> nameif dmz2 >> security-level 3 >> ip address 192.168.105.1 255.255.255.0 >> ! >> access-list inside_acl extended permit ip any any >> access-list dmz2_acl extended permit ip any any >> access-list noNAT extended permit ip 192.168.30.0 255.255.255.0 >> 192.168.105.0 255.255.255.0 >> access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0 >> 192.168.30.0 255.255.255.0 >> ! >> access-group inside_acl in interface inside >> access-group dmz2_acl in interface dmz2 >> ! >> nat (inside) 0 access-list noNAT >> nat (inside) 1 0.0.0.0 0.0.0.0 >> nat (dmz2) 0 access-list dmz2-noNAT >> nat (dmz2) 3 0.0.0.0 0.0.0.0 >> ! >> global (outside) 1 [publicIPhidden] >> global (outside) 3 [publicIPhidden] >> ! >
| |||||||||||||
|
Posted by mcaissie on July 2, 2008, 10:56 am
Please log in for more thread options > You didn't need to define the "rp-address" or anything else like that?
My solution is assuming that the multicast Source and Clients are directly connected on the inside and dmz subnet. Is it your case ? If so, you dont't need to activate PIM and you will not have any Rendez-Vous point. If you want the ASA to send the multicast traffic to a RP then it's another ball game. Where is your multicast Source and clients located exactly ? Can you do a couple of captures to see if the multicast traffic is at least reaching your ASA. access-list cdmz permit ip any 224.0.0.0 255.0.0.0 access-list cdmz permit ip 224.0.0.0 255.0.0.0 any capture capdmz access-list cdmz interface dmz2 access-list cin permit ip any 224.0.0.0 255.0.0.0 access-list cin permit ip 224.0.0.0 255.0.0.0 any capture capin access-list cin interface inside > Hmmm... Are you sure that's all there was to it?
> It's still not working :( > You didn't need to define the "rp-address" or anything else like that? > > On Mon, 30 Jun 2008 19:24:52 GMT, "mcaissie" > >>I have it to work on 7.2(2).
>> >>We are talking here about having the multicast source directly on the >>inside or directly >>on the dmz2 right ? not x hops away ? >> >>Same thing for the client right ? >> >>Enabling multicast-routing was not enough to make it work. I had to add a >>static multicast route. >>(well two since the Source may be on either side) >> >>So here is my receipe >> >>1- Enable multicast-routing >> >>multicast-routing >> >>2- Create multicast routes >> >>mroute 192.168.105.0 255.255.255.0 inside dense dmz2 >>mroute 192.168.30.0 255.255.255.0 dmz2 dense inside >> >>3- Allow multicast traffic in your acl >> >> your ok with your permit ip any any , but when you go more granular you >>will >>have to specify the destination IP address of the multicast source >> >> >>good luck >> >> >> >> >>> To anyone who has ever successfully configured multicasting between
>>> two segments on an ASA5510 v8.0... >>> >>> I have been working on this for three days, and even got a whole team >>> of Cisco support engineers involved without much success. >>> >>> Trying to configure multicasting to/from inside and dmz segments, >>> needs to be bidirectional. >>> >>> Below is the starting config, but instead of posting everything we've >>> tried, I'll just leave it open to start from scratch... Btw, for >>> testing, we opened up the ACLs all the way as you can see below. >>> >>> interface Ethernet0/1 >>> nameif inside >>> security-level 100 >>> ip address 192.168.30.1 255.255.255.0 >>> ! >>> interface Ethernet0/3 >>> nameif dmz2 >>> security-level 3 >>> ip address 192.168.105.1 255.255.255.0 >>> ! >>> access-list inside_acl extended permit ip any any >>> access-list dmz2_acl extended permit ip any any >>> access-list noNAT extended permit ip 192.168.30.0 255.255.255.0 >>> 192.168.105.0 255.255.255.0 >>> access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0 >>> 192.168.30.0 255.255.255.0 >>> ! >>> access-group inside_acl in interface inside >>> access-group dmz2_acl in interface dmz2 >>> ! >>> nat (inside) 0 access-list noNAT >>> nat (inside) 1 0.0.0.0 0.0.0.0 >>> nat (dmz2) 0 access-list dmz2-noNAT >>> nat (dmz2) 3 0.0.0.0 0.0.0.0 >>> ! >>> global (outside) 1 [publicIPhidden] >>> global (outside) 3 [publicIPhidden] >>> ! >>
>
| |||||||||||||
| Similar Threads | Posted |
| multicasting across segments | June 30, 2008, 2:10 pm |
| PIX VPN to both DMZ and INSIDE segments | October 18, 2005, 2:29 pm |
| Multicasting over VPN | September 7, 2006, 8:10 pm |
| Multicasting | September 16, 2007, 12:05 am |
| Multicasting b/w VLANs | April 22, 2006, 12:51 am |
| Set up multicasting/ iptv lab | January 24, 2007, 10:00 am |
| Aironet 1400 and Multicasting? | May 9, 2006, 7:07 am |
| MultiCasting over Multiple Vlans. | June 21, 2006, 10:11 am |
| Multicasting + Cisco 10k + Juniper E320 | April 24, 2008, 2:26 am |
| understand multicasting from the client/host perspective . | June 25, 2006, 2:07 pm |
> two segments on an ASA5510 v8.0...
>
> I have been working on this for three days, and even got a whole team
> of Cisco support engineers involved without much success.
>
> Trying to configure multicasting to/from inside and dmz segments,
> needs to be bidirectional.
>
> Below is the starting config, but instead of posting everything we've
> tried, I'll just leave it open to start from scratch... Btw, for
> testing, we opened up the ACLs all the way as you can see below.
>
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 192.168.30.1 255.255.255.0
> !
> interface Ethernet0/3
> nameif dmz2
> security-level 3
> ip address 192.168.105.1 255.255.255.0
> !
> access-list inside_acl extended permit ip any any
> access-list dmz2_acl extended permit ip any any
> access-list noNAT extended permit ip 192.168.30.0 255.255.255.0
> 192.168.105.0 255.255.255.0
> access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0
> 192.168.30.0 255.255.255.0
> !
> access-group inside_acl in interface inside
> access-group dmz2_acl in interface dmz2
> !
> nat (inside) 0 access-list noNAT
> nat (inside) 1 0.0.0.0 0.0.0.0
> nat (dmz2) 0 access-list dmz2-noNAT
> nat (dmz2) 3 0.0.0.0 0.0.0.0
> !
> global (outside) 1 [publicIPhidden]
> global (outside) 3 [publicIPhidden]
> !