multicasting across segments

Discussion in 'Cisco' started by PL, Jun 30, 2008.

  1. PL

    PL Guest

    To anyone who has ever successfully configured multicasting between
    two segments on an ASA5510 v8.0...

    I have been working on this for three days, and even got a whole team
    of Cisco support engineers involved without much success.

    Trying to configure multicasting to/from inside and dmz segments,
    needs to be bidirectional.

    Below is the starting config, but instead of posting everything we've
    tried, I'll just leave it open to start from scratch... Btw, for
    testing, we opened up the ACLs all the way as you can see below.

    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.30.1 255.255.255.0
    !
    interface Ethernet0/3
    nameif dmz2
    security-level 3
    ip address 192.168.105.1 255.255.255.0
    !
    access-list inside_acl extended permit ip any any
    access-list dmz2_acl extended permit ip any any
    access-list noNAT extended permit ip 192.168.30.0 255.255.255.0
    192.168.105.0 255.255.255.0
    access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0
    192.168.30.0 255.255.255.0
    !
    access-group inside_acl in interface inside
    access-group dmz2_acl in interface dmz2
    !
    nat (inside) 0 access-list noNAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (dmz2) 0 access-list dmz2-noNAT
    nat (dmz2) 3 0.0.0.0 0.0.0.0
    !
    global (outside) 1 [publicIPhidden]
    global (outside) 3 [publicIPhidden]
    !
    PL, Jun 30, 2008
    #1
    1. Advertising

  2. PL

    mcaissie Guest

    I have it to work on 7.2(2).

    We are talking here about having the multicast source directly on the
    inside or directly
    on the dmz2 right ? not x hops away ?

    Same thing for the client right ?

    Enabling multicast-routing was not enough to make it work. I had to add a
    static multicast route.
    (well two since the Source may be on either side)

    So here is my receipe

    1- Enable multicast-routing

    multicast-routing

    2- Create multicast routes

    mroute 192.168.105.0 255.255.255.0 inside dense dmz2
    mroute 192.168.30.0 255.255.255.0 dmz2 dense inside

    3- Allow multicast traffic in your acl

    your ok with your permit ip any any , but when you go more granular you
    will
    have to specify the destination IP address of the multicast source


    good luck




    "PL" <> wrote in message
    news:...
    > To anyone who has ever successfully configured multicasting between
    > two segments on an ASA5510 v8.0...
    >
    > I have been working on this for three days, and even got a whole team
    > of Cisco support engineers involved without much success.
    >
    > Trying to configure multicasting to/from inside and dmz segments,
    > needs to be bidirectional.
    >
    > Below is the starting config, but instead of posting everything we've
    > tried, I'll just leave it open to start from scratch... Btw, for
    > testing, we opened up the ACLs all the way as you can see below.
    >
    > interface Ethernet0/1
    > nameif inside
    > security-level 100
    > ip address 192.168.30.1 255.255.255.0
    > !
    > interface Ethernet0/3
    > nameif dmz2
    > security-level 3
    > ip address 192.168.105.1 255.255.255.0
    > !
    > access-list inside_acl extended permit ip any any
    > access-list dmz2_acl extended permit ip any any
    > access-list noNAT extended permit ip 192.168.30.0 255.255.255.0
    > 192.168.105.0 255.255.255.0
    > access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0
    > 192.168.30.0 255.255.255.0
    > !
    > access-group inside_acl in interface inside
    > access-group dmz2_acl in interface dmz2
    > !
    > nat (inside) 0 access-list noNAT
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > nat (dmz2) 0 access-list dmz2-noNAT
    > nat (dmz2) 3 0.0.0.0 0.0.0.0
    > !
    > global (outside) 1 [publicIPhidden]
    > global (outside) 3 [publicIPhidden]
    > !
    mcaissie, Jun 30, 2008
    #2
    1. Advertising

  3. PL

    PL Guest

    Hmmm... Are you sure that's all there was to it?
    It's still not working :(
    You didn't need to define the "rp-address" or anything else like that?

    On Mon, 30 Jun 2008 19:24:52 GMT, "mcaissie"
    <> wrote:

    >I have it to work on 7.2(2).
    >
    >We are talking here about having the multicast source directly on the
    >inside or directly
    >on the dmz2 right ? not x hops away ?
    >
    >Same thing for the client right ?
    >
    >Enabling multicast-routing was not enough to make it work. I had to add a
    >static multicast route.
    >(well two since the Source may be on either side)
    >
    >So here is my receipe
    >
    >1- Enable multicast-routing
    >
    >multicast-routing
    >
    >2- Create multicast routes
    >
    >mroute 192.168.105.0 255.255.255.0 inside dense dmz2
    >mroute 192.168.30.0 255.255.255.0 dmz2 dense inside
    >
    >3- Allow multicast traffic in your acl
    >
    > your ok with your permit ip any any , but when you go more granular you
    >will
    >have to specify the destination IP address of the multicast source
    >
    >
    >good luck
    >
    >
    >
    >
    >"PL" <> wrote in message
    >news:...
    >> To anyone who has ever successfully configured multicasting between
    >> two segments on an ASA5510 v8.0...
    >>
    >> I have been working on this for three days, and even got a whole team
    >> of Cisco support engineers involved without much success.
    >>
    >> Trying to configure multicasting to/from inside and dmz segments,
    >> needs to be bidirectional.
    >>
    >> Below is the starting config, but instead of posting everything we've
    >> tried, I'll just leave it open to start from scratch... Btw, for
    >> testing, we opened up the ACLs all the way as you can see below.
    >>
    >> interface Ethernet0/1
    >> nameif inside
    >> security-level 100
    >> ip address 192.168.30.1 255.255.255.0
    >> !
    >> interface Ethernet0/3
    >> nameif dmz2
    >> security-level 3
    >> ip address 192.168.105.1 255.255.255.0
    >> !
    >> access-list inside_acl extended permit ip any any
    >> access-list dmz2_acl extended permit ip any any
    >> access-list noNAT extended permit ip 192.168.30.0 255.255.255.0
    >> 192.168.105.0 255.255.255.0
    >> access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0
    >> 192.168.30.0 255.255.255.0
    >> !
    >> access-group inside_acl in interface inside
    >> access-group dmz2_acl in interface dmz2
    >> !
    >> nat (inside) 0 access-list noNAT
    >> nat (inside) 1 0.0.0.0 0.0.0.0
    >> nat (dmz2) 0 access-list dmz2-noNAT
    >> nat (dmz2) 3 0.0.0.0 0.0.0.0
    >> !
    >> global (outside) 1 [publicIPhidden]
    >> global (outside) 3 [publicIPhidden]
    >> !

    >
    PL, Jun 30, 2008
    #3
  4. PL

    mcaissie Guest

    > You didn't need to define the "rp-address" or anything else like that?

    My solution is assuming that the multicast Source and Clients are directly
    connected on the
    inside and dmz subnet. Is it your case ?

    If so, you dont't need to activate PIM and you will not have any Rendez-Vous
    point.
    If you want the ASA to send the multicast traffic to a RP then it's
    another ball game.

    Where is your multicast Source and clients located exactly ?

    Can you do a couple of captures to see if the multicast traffic is at least
    reaching
    your ASA.

    access-list cdmz permit ip any 224.0.0.0 255.0.0.0
    access-list cdmz permit ip 224.0.0.0 255.0.0.0 any
    capture capdmz access-list cdmz interface dmz2

    access-list cin permit ip any 224.0.0.0 255.0.0.0
    access-list cin permit ip 224.0.0.0 255.0.0.0 any
    capture capin access-list cin interface inside




    "PL" <> wrote in message
    news:...
    > Hmmm... Are you sure that's all there was to it?
    > It's still not working :(
    > You didn't need to define the "rp-address" or anything else like that?
    >
    > On Mon, 30 Jun 2008 19:24:52 GMT, "mcaissie"
    > <> wrote:
    >
    >>I have it to work on 7.2(2).
    >>
    >>We are talking here about having the multicast source directly on the
    >>inside or directly
    >>on the dmz2 right ? not x hops away ?
    >>
    >>Same thing for the client right ?
    >>
    >>Enabling multicast-routing was not enough to make it work. I had to add a
    >>static multicast route.
    >>(well two since the Source may be on either side)
    >>
    >>So here is my receipe
    >>
    >>1- Enable multicast-routing
    >>
    >>multicast-routing
    >>
    >>2- Create multicast routes
    >>
    >>mroute 192.168.105.0 255.255.255.0 inside dense dmz2
    >>mroute 192.168.30.0 255.255.255.0 dmz2 dense inside
    >>
    >>3- Allow multicast traffic in your acl
    >>
    >> your ok with your permit ip any any , but when you go more granular you
    >>will
    >>have to specify the destination IP address of the multicast source
    >>
    >>
    >>good luck
    >>
    >>
    >>
    >>
    >>"PL" <> wrote in message
    >>news:...
    >>> To anyone who has ever successfully configured multicasting between
    >>> two segments on an ASA5510 v8.0...
    >>>
    >>> I have been working on this for three days, and even got a whole team
    >>> of Cisco support engineers involved without much success.
    >>>
    >>> Trying to configure multicasting to/from inside and dmz segments,
    >>> needs to be bidirectional.
    >>>
    >>> Below is the starting config, but instead of posting everything we've
    >>> tried, I'll just leave it open to start from scratch... Btw, for
    >>> testing, we opened up the ACLs all the way as you can see below.
    >>>
    >>> interface Ethernet0/1
    >>> nameif inside
    >>> security-level 100
    >>> ip address 192.168.30.1 255.255.255.0
    >>> !
    >>> interface Ethernet0/3
    >>> nameif dmz2
    >>> security-level 3
    >>> ip address 192.168.105.1 255.255.255.0
    >>> !
    >>> access-list inside_acl extended permit ip any any
    >>> access-list dmz2_acl extended permit ip any any
    >>> access-list noNAT extended permit ip 192.168.30.0 255.255.255.0
    >>> 192.168.105.0 255.255.255.0
    >>> access-list dmz2-noNAT extended permit ip 192.168.105.0 255.255.255.0
    >>> 192.168.30.0 255.255.255.0
    >>> !
    >>> access-group inside_acl in interface inside
    >>> access-group dmz2_acl in interface dmz2
    >>> !
    >>> nat (inside) 0 access-list noNAT
    >>> nat (inside) 1 0.0.0.0 0.0.0.0
    >>> nat (dmz2) 0 access-list dmz2-noNAT
    >>> nat (dmz2) 3 0.0.0.0 0.0.0.0
    >>> !
    >>> global (outside) 1 [publicIPhidden]
    >>> global (outside) 3 [publicIPhidden]
    >>> !

    >>

    >
    mcaissie, Jul 2, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John

    Problems with segments.

    John, Jan 7, 2004, in forum: Cisco
    Replies:
    2
    Views:
    530
  2. Werner Ginzky

    multiple IP-Segments each port

    Werner Ginzky, Oct 13, 2004, in forum: Cisco
    Replies:
    2
    Views:
    447
    Peter
    Oct 15, 2004
  3. Axel Werner
    Replies:
    0
    Views:
    627
    Axel Werner
    Mar 7, 2005
  4. Tiffany
    Replies:
    3
    Views:
    3,509
    Walter Roberson
    Oct 19, 2005
  5. lankared

    missing segments

    lankared, Jan 16, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    348
    Richard
    Jan 16, 2004
Loading...

Share This Page