Tyson thank you for your fast response ,
only PIM needs to be enabled ? and what if the KS is in the outside zone and the GM's in the inside , what will be the outside acl in this case ? Best Regards,Mohamed Shams Senior Network Security Engineer Mob. +971505547296 / +971559814508 (UAE) Mob. +20102340178 (Egypt) --- On Sun, 12/6/09, Tyson Scott <[email protected]> wrote: From: Tyson Scott <[email protected]> Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey To: "'Mohamed Shams'" <[email protected]>, [email protected] Date: Sunday, December 6, 2009, 10:21 AM Mohamed, It depends. Are you running multi context or single context? Single context you need to enable PIM on the firewall as well as all the rest of the devices that will be communicating with it. Multi context routed mode doesn’t support multicast so you need to provide a workaround. I actually put this in Lab17 and Lab20 due to the recent comment by Yusuf on Cisco’s Cert Forum that you guys should know basic multicast because it was the only thing that I could think that would require you to use multicast in the lab. Maybe something would require it as well but I can’t think of anything else. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Mohamed Shams Sent: Sunday, December 06, 2009 2:57 AM To: [email protected] Subject: [OSL | CCIE_Security] GETVPN multicast rekey Hi all I have an ASA firewall between the key server (KS) and its group members (GM) , where the KS in the inside zone and the GMs are in the outside zone , GMs registered successfully with the KS and traffic is encrypted/decrypted without any problems , but the only problem that the GM's don't receive the rekey messages provided that the rekey is multicast my question is what should be done on the firewall to allow multicast rekeying . thank you Best Regards, Mohamed Shams Senior Network Security Engineer Mob. +971505547296 / +971559814508 (UAE) Mob. +20102340178 (Egypt)
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
