Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > multicasting across segments

Reply
Thread Tools

multicasting across segments

 
 
PL
Guest
Posts: n/a
 
      06-30-2008
To anyone who has ever successfully configured multicasting between
two segments on an ASA5510 v8.0...

I have been working on this for three days, and even got a whole team
of Cisco support engineers involved without much success.

Trying to configure multicasting to/from inside and dmz segments,
needs to be bidirectional.

Below is the starting config, but instead of posting everything we've
tried, I'll just leave it open to start from scratch... Btw, for
testing, we opened up the ACLs all the way as you can see below.

interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
!
interface Ethernet0/3
nameif dmz2
security-level 3
ip address 192.168.105.1 255.255.255.0
!
access-list inside_acl extended permit ip any any
access-list dmz2_acl extended permit ip any any
access-list noNAT extended permit ip 192.168.30.0 255.255.255.0
192.168.105.0 255.255.255.0
access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0
192.168.30.0 255.255.255.0
!
access-group inside_acl in interface inside
access-group dmz2_acl in interface dmz2
!
nat (inside) 0 access-list noNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz2) 0 access-list dmz2-noNAT
nat (dmz2) 3 0.0.0.0 0.0.0.0
!
global (outside) 1 [publicIPhidden]
global (outside) 3 [publicIPhidden]
!
 
Reply With Quote
 
 
 
 
mcaissie
Guest
Posts: n/a
 
      06-30-2008
I have it to work on 7.2(2).

We are talking here about having the multicast source directly on the
inside or directly
on the dmz2 right ? not x hops away ?

Same thing for the client right ?

Enabling multicast-routing was not enough to make it work. I had to add a
static multicast route.
(well two since the Source may be on either side)

So here is my receipe

1- Enable multicast-routing

multicast-routing

2- Create multicast routes

mroute 192.168.105.0 255.255.255.0 inside dense dmz2
mroute 192.168.30.0 255.255.255.0 dmz2 dense inside

3- Allow multicast traffic in your acl

your ok with your permit ip any any , but when you go more granular you
will
have to specify the destination IP address of the multicast source


good luck




"PL" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> To anyone who has ever successfully configured multicasting between
> two segments on an ASA5510 v8.0...
>
> I have been working on this for three days, and even got a whole team
> of Cisco support engineers involved without much success.
>
> Trying to configure multicasting to/from inside and dmz segments,
> needs to be bidirectional.
>
> Below is the starting config, but instead of posting everything we've
> tried, I'll just leave it open to start from scratch... Btw, for
> testing, we opened up the ACLs all the way as you can see below.
>
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 192.168.30.1 255.255.255.0
> !
> interface Ethernet0/3
> nameif dmz2
> security-level 3
> ip address 192.168.105.1 255.255.255.0
> !
> access-list inside_acl extended permit ip any any
> access-list dmz2_acl extended permit ip any any
> access-list noNAT extended permit ip 192.168.30.0 255.255.255.0
> 192.168.105.0 255.255.255.0
> access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0
> 192.168.30.0 255.255.255.0
> !
> access-group inside_acl in interface inside
> access-group dmz2_acl in interface dmz2
> !
> nat (inside) 0 access-list noNAT
> nat (inside) 1 0.0.0.0 0.0.0.0
> nat (dmz2) 0 access-list dmz2-noNAT
> nat (dmz2) 3 0.0.0.0 0.0.0.0
> !
> global (outside) 1 [publicIPhidden]
> global (outside) 3 [publicIPhidden]
> !



 
Reply With Quote
 
 
 
 
PL
Guest
Posts: n/a
 
      06-30-2008
Hmmm... Are you sure that's all there was to it?
It's still not working
You didn't need to define the "rp-address" or anything else like that?

On Mon, 30 Jun 2008 19:24:52 GMT, "mcaissie"
<(E-Mail Removed)> wrote:

>I have it to work on 7.2(2).
>
>We are talking here about having the multicast source directly on the
>inside or directly
>on the dmz2 right ? not x hops away ?
>
>Same thing for the client right ?
>
>Enabling multicast-routing was not enough to make it work. I had to add a
>static multicast route.
>(well two since the Source may be on either side)
>
>So here is my receipe
>
>1- Enable multicast-routing
>
>multicast-routing
>
>2- Create multicast routes
>
>mroute 192.168.105.0 255.255.255.0 inside dense dmz2
>mroute 192.168.30.0 255.255.255.0 dmz2 dense inside
>
>3- Allow multicast traffic in your acl
>
> your ok with your permit ip any any , but when you go more granular you
>will
>have to specify the destination IP address of the multicast source
>
>
>good luck
>
>
>
>
>"PL" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> To anyone who has ever successfully configured multicasting between
>> two segments on an ASA5510 v8.0...
>>
>> I have been working on this for three days, and even got a whole team
>> of Cisco support engineers involved without much success.
>>
>> Trying to configure multicasting to/from inside and dmz segments,
>> needs to be bidirectional.
>>
>> Below is the starting config, but instead of posting everything we've
>> tried, I'll just leave it open to start from scratch... Btw, for
>> testing, we opened up the ACLs all the way as you can see below.
>>
>> interface Ethernet0/1
>> nameif inside
>> security-level 100
>> ip address 192.168.30.1 255.255.255.0
>> !
>> interface Ethernet0/3
>> nameif dmz2
>> security-level 3
>> ip address 192.168.105.1 255.255.255.0
>> !
>> access-list inside_acl extended permit ip any any
>> access-list dmz2_acl extended permit ip any any
>> access-list noNAT extended permit ip 192.168.30.0 255.255.255.0
>> 192.168.105.0 255.255.255.0
>> access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0
>> 192.168.30.0 255.255.255.0
>> !
>> access-group inside_acl in interface inside
>> access-group dmz2_acl in interface dmz2
>> !
>> nat (inside) 0 access-list noNAT
>> nat (inside) 1 0.0.0.0 0.0.0.0
>> nat (dmz2) 0 access-list dmz2-noNAT
>> nat (dmz2) 3 0.0.0.0 0.0.0.0
>> !
>> global (outside) 1 [publicIPhidden]
>> global (outside) 3 [publicIPhidden]
>> !

>


 
Reply With Quote
 
mcaissie
Guest
Posts: n/a
 
      07-02-2008
> You didn't need to define the "rp-address" or anything else like that?

My solution is assuming that the multicast Source and Clients are directly
connected on the
inside and dmz subnet. Is it your case ?

If so, you dont't need to activate PIM and you will not have any Rendez-Vous
point.
If you want the ASA to send the multicast traffic to a RP then it's
another ball game.

Where is your multicast Source and clients located exactly ?

Can you do a couple of captures to see if the multicast traffic is at least
reaching
your ASA.

access-list cdmz permit ip any 224.0.0.0 255.0.0.0
access-list cdmz permit ip 224.0.0.0 255.0.0.0 any
capture capdmz access-list cdmz interface dmz2

access-list cin permit ip any 224.0.0.0 255.0.0.0
access-list cin permit ip 224.0.0.0 255.0.0.0 any
capture capin access-list cin interface inside




"PL" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hmmm... Are you sure that's all there was to it?
> It's still not working
> You didn't need to define the "rp-address" or anything else like that?
>
> On Mon, 30 Jun 2008 19:24:52 GMT, "mcaissie"
> <(E-Mail Removed)> wrote:
>
>>I have it to work on 7.2(2).
>>
>>We are talking here about having the multicast source directly on the
>>inside or directly
>>on the dmz2 right ? not x hops away ?
>>
>>Same thing for the client right ?
>>
>>Enabling multicast-routing was not enough to make it work. I had to add a
>>static multicast route.
>>(well two since the Source may be on either side)
>>
>>So here is my receipe
>>
>>1- Enable multicast-routing
>>
>>multicast-routing
>>
>>2- Create multicast routes
>>
>>mroute 192.168.105.0 255.255.255.0 inside dense dmz2
>>mroute 192.168.30.0 255.255.255.0 dmz2 dense inside
>>
>>3- Allow multicast traffic in your acl
>>
>> your ok with your permit ip any any , but when you go more granular you
>>will
>>have to specify the destination IP address of the multicast source
>>
>>
>>good luck
>>
>>
>>
>>
>>"PL" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed). ..
>>> To anyone who has ever successfully configured multicasting between
>>> two segments on an ASA5510 v8.0...
>>>
>>> I have been working on this for three days, and even got a whole team
>>> of Cisco support engineers involved without much success.
>>>
>>> Trying to configure multicasting to/from inside and dmz segments,
>>> needs to be bidirectional.
>>>
>>> Below is the starting config, but instead of posting everything we've
>>> tried, I'll just leave it open to start from scratch... Btw, for
>>> testing, we opened up the ACLs all the way as you can see below.
>>>
>>> interface Ethernet0/1
>>> nameif inside
>>> security-level 100
>>> ip address 192.168.30.1 255.255.255.0
>>> !
>>> interface Ethernet0/3
>>> nameif dmz2
>>> security-level 3
>>> ip address 192.168.105.1 255.255.255.0
>>> !
>>> access-list inside_acl extended permit ip any any
>>> access-list dmz2_acl extended permit ip any any
>>> access-list noNAT extended permit ip 192.168.30.0 255.255.255.0
>>> 192.168.105.0 255.255.255.0
>>> access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0
>>> 192.168.30.0 255.255.255.0
>>> !
>>> access-group inside_acl in interface inside
>>> access-group dmz2_acl in interface dmz2
>>> !
>>> nat (inside) 0 access-list noNAT
>>> nat (inside) 1 0.0.0.0 0.0.0.0
>>> nat (dmz2) 0 access-list dmz2-noNAT
>>> nat (dmz2) 3 0.0.0.0 0.0.0.0
>>> !
>>> global (outside) 1 [publicIPhidden]
>>> global (outside) 3 [publicIPhidden]
>>> !

>>

>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem multicasting with catalyst 2924 Steeve Boulanger Cisco 1 12-06-2004 09:45 PM
Multicasting Fails When Sending Through Multiple Switches - Symantec Ghost Enterprise 8 mike Cisco 0 10-04-2004 08:11 PM
Symantec Ghost and Multicasting J R Cisco 2 09-08-2004 09:01 PM
verifying multicasting J R Cisco 3 09-02-2004 06:42 AM
Multicasting between Vlans davbar Cisco 6 08-18-2004 06:30 AM



Advertisments