Hi Tyson/Mohamed I think, the following should enough right?
GM ----------------- inside ASA outside -------------------- KS multicasting routing mroute 0 0 <next hop> interface g0/0 nameif outside ip igmp join <multicast address> interface g0/1 nameif inside igmp forward interface outside The GM gets the multicast address from the KS and starts listening for it. Since ASA in between, we can configure for SMR. The ASA will join the mutlicast group and start forwarding the multicast request. Since the mutlicast request is from inside, no punching hole is required with ACL to permit the muilticast inside. Please correct me, if I am wrong. With regards Kings On Mon, Dec 7, 2009 at 9:01 AM, Tyson Scott <[email protected]> wrote: > Mohamed, > > > > Again you are still going to be enabling PIM but you would then need to > allow the multicast feed thru the firewall. > > > > access-list OUT_TO_IN permit udp host <key-server> host <Multicast-group> > eq <specific-port-numbers if you know them> > > > > (At least I assume you would need the ACL for the multicast feeds. I > haven’t actually run multicast from the outside to inside yet. Will test it > tomorrow and respond if I am wrong.) > > > > When I used to be in charge of Security, working in real world, we always > had to run GRE tunnels thru the PIX with static mroute’s to pass the > multicast traffic. Prior to 7.0 the PIX didn’t support multicast at all. > > > > You should try the new labs and see if helps you for your problem. We > actually spent a great deal of time explaining multicast and how it > functions so I hope it is helpful. (At least enough for what you would need > to know for the Security Lab.) It definitely doesn’t go into the detail of > our R&S and SP books as there is a lot more to know. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: > *www.ipexpert.com/chat*<http://www.ipexpert.com/chat> > > eFax: +1.810.454.0130 > > > > > > *From:* Mohamed Shams [mailto:[email protected]] > *Sent:* Sunday, December 06, 2009 3:43 AM > *To:* [email protected]; Tyson Scott > > *Subject:* RE: [OSL | CCIE_Security] GETVPN multicast rekey > > > > Tyson > > thank you for your fast response , > > only PIM needs to be enabled ? > and what if the KS is in the outside zone and the GM's in the inside , what > will be the outside acl in this case ? > > > Best Regards, > > Mohamed Shams > > Senior Network Security Engineer > > Mob. +971505547296 / +971559814508 (UAE) > Mob. +20102340178 (Egypt) > > > > --- On *Sun, 12/6/09, Tyson Scott <[email protected]>* wrote: > > > From: Tyson Scott <[email protected]> > Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey > To: "'Mohamed Shams'" <[email protected]>, > [email protected] > Date: Sunday, December 6, 2009, 10:21 AM > > Mohamed, > > > > It depends. Are you running multi context or single context? Single > context you need to enable PIM on the firewall as well as all the rest of > the devices that will be communicating with it. > > > > Multi context routed mode doesn’t support multicast so you need to provide > a workaround. > > > > I actually put this in Lab17 and Lab20 due to the recent comment by Yusuf > on Cisco’s Cert Forum that you guys should know basic multicast because it > was the only thing that I could think that would require you to use > multicast in the lab. Maybe something would require it as well but I can’t > think of anything else. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: > *www.ipexpert.com/chat*<http://www.ipexpert.com/chat> > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > *www.ipexpert.com/communities* <http://www.ipexpert.com/communities> and > our public website at *www.ipexpert.com* <http://www.ipexpert.com/> > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Mohamed Shams > *Sent:* Sunday, December 06, 2009 2:57 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] GETVPN multicast rekey > > > > > Hi all > > I have an ASA firewall between the key server (KS) and its group members > (GM) , where the KS in the inside zone and the GMs are in the outside zone > , GMs registered successfully with the KS and traffic is encrypted/decrypted > without any problems , but the only problem that the GM's don't receive the > rekey messages provided that the rekey is multicast > > my question is what should be done on the firewall to allow multicast > rekeying . > > thank you > > Best Regards, > > Mohamed Shams > > Senior Network Security Engineer > > Mob. +971505547296 / +971559814508 (UAE) > Mob. +20102340178 (Egypt) > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
