Mohamed,
Again you are still going to be enabling PIM but you would then need to allow the multicast feed thru the firewall. access-list OUT_TO_IN permit udp host <key-server> host <Multicast-group> eq <specific-port-numbers if you know them> (At least I assume you would need the ACL for the multicast feeds. I haven’t actually run multicast from the outside to inside yet. Will test it tomorrow and respond if I am wrong.) When I used to be in charge of Security, working in real world, we always had to run GRE tunnels thru the PIX with static mroute’s to pass the multicast traffic. Prior to 7.0 the PIX didn’t support multicast at all. You should try the new labs and see if helps you for your problem. We actually spent a great deal of time explaining multicast and how it functions so I hope it is helpful. (At least enough for what you would need to know for the Security Lab.) It definitely doesn’t go into the detail of our R&S and SP books as there is a lot more to know. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 From: Mohamed Shams [mailto:[email protected]] Sent: Sunday, December 06, 2009 3:43 AM To: [email protected]; Tyson Scott Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey Tyson thank you for your fast response , only PIM needs to be enabled ? and what if the KS is in the outside zone and the GM's in the inside , what will be the outside acl in this case ? Best Regards, Mohamed Shams Senior Network Security Engineer Mob. +971505547296 / +971559814508 (UAE) Mob. +20102340178 (Egypt) --- On Sun, 12/6/09, Tyson Scott <[email protected]> wrote: From: Tyson Scott <[email protected]> Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey To: "'Mohamed Shams'" <[email protected]>, [email protected] Date: Sunday, December 6, 2009, 10:21 AM Mohamed, It depends. Are you running multi context or single context? Single context you need to enable PIM on the firewall as well as all the rest of the devices that will be communicating with it. Multi context routed mode doesn’t support multicast so you need to provide a workaround. I actually put this in Lab17 and Lab20 due to the recent comment by Yusuf on Cisco’s Cert Forum that you guys should know basic multicast because it was the only thing that I could think that would require you to use multicast in the lab. Maybe something would require it as well but I can’t think of anything else. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Mohamed Shams Sent: Sunday, December 06, 2009 2:57 AM To: [email protected] Subject: [OSL | CCIE_Security] GETVPN multicast rekey Hi all I have an ASA firewall between the key server (KS) and its group members (GM) , where the KS in the inside zone and the GMs are in the outside zone , GMs registered successfully with the KS and traffic is encrypted/decrypted without any problems , but the only problem that the GM's don't receive the rekey messages provided that the rekey is multicast my question is what should be done on the firewall to allow multicast rekeying . thank you Best Regards, Mohamed Shams Senior Network Security Engineer Mob. +971505547296 / +971559814508 (UAE) Mob. +20102340178 (Egypt)
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
