Kingsley,
The purpose of using a static mroute is to rectify RPF failures when your multicast feed is coming from a different direction than the IP routing table states. I.E. your routing table states to get to 1.1.1.1 via DMZ interface but you are receiving a multicast feed on interface inside from 1.1.1.1. Using the static mroute states I know I need to get to 1.1.1.1 for IP routing via DMZ but it is OK if I receive multicast feeds via my inside interface sourced from 1.1.1.1. You can have an interface on the firewall join a group for testing but you shouldn't have the firewall join the group permanently unless it needs to listen to the feed. Otherwise you are just wasting resources. Which in the case of KEK the firewall is not participating so you are wasting resources. I will get back with you tomorrow morning with a working configuration based on best practices to confirm what I stated below. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: Kingsley Charles [mailto:[email protected]] Sent: Sunday, December 06, 2009 11:46 PM To: Tyson Scott Cc: Mohamed Shams; [email protected] Subject: Re: [OSL | CCIE_Security] GETVPN multicast rekey Hi Tyson/Mohamed I think, the following should enough right? GM ----------------- inside ASA outside -------------------- KS multicasting routing mroute 0 0 <next hop> interface g0/0 nameif outside ip igmp join <multicast address> interface g0/1 nameif inside igmp forward interface outside The GM gets the multicast address from the KS and starts listening for it. Since ASA in between, we can configure for SMR. The ASA will join the mutlicast group and start forwarding the multicast request. Since the mutlicast request is from inside, no punching hole is required with ACL to permit the muilticast inside. Please correct me, if I am wrong. With regards Kings On Mon, Dec 7, 2009 at 9:01 AM, Tyson Scott <[email protected]> wrote: Mohamed, Again you are still going to be enabling PIM but you would then need to allow the multicast feed thru the firewall. access-list OUT_TO_IN permit udp host <key-server> host <Multicast-group> eq <specific-port-numbers if you know them> (At least I assume you would need the ACL for the multicast feeds. I haven't actually run multicast from the outside to inside yet. Will test it tomorrow and respond if I am wrong.) When I used to be in charge of Security, working in real world, we always had to run GRE tunnels thru the PIX with static mroute's to pass the multicast traffic. Prior to 7.0 the PIX didn't support multicast at all. You should try the new labs and see if helps you for your problem. We actually spent a great deal of time explaining multicast and how it functions so I hope it is helpful. (At least enough for what you would need to know for the Security Lab.) It definitely doesn't go into the detail of our R&S and SP books as there is a lot more to know. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 From: Mohamed Shams [mailto:[email protected]] Sent: Sunday, December 06, 2009 3:43 AM To: [email protected]; Tyson Scott Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey Tyson thank you for your fast response , only PIM needs to be enabled ? and what if the KS is in the outside zone and the GM's in the inside , what will be the outside acl in this case ? Best Regards, Mohamed Shams Senior Network Security Engineer Mob. +971505547296 / +971559814508 (UAE) Mob. +20102340178 (Egypt) --- On Sun, 12/6/09, Tyson Scott <[email protected]> wrote: From: Tyson Scott <[email protected]> Subject: RE: [OSL | CCIE_Security] GETVPN multicast rekey To: "'Mohamed Shams'" <[email protected]>, [email protected] Date: Sunday, December 6, 2009, 10:21 AM Mohamed, It depends. Are you running multi context or single context? Single context you need to enable PIM on the firewall as well as all the rest of the devices that will be communicating with it. Multi context routed mode doesn't support multicast so you need to provide a workaround. I actually put this in Lab17 and Lab20 due to the recent comment by Yusuf on Cisco's Cert Forum that you guys should know basic multicast because it was the only thing that I could think that would require you to use multicast in the lab. Maybe something would require it as well but I can't think of anything else. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Mohamed Shams Sent: Sunday, December 06, 2009 2:57 AM To: [email protected] Subject: [OSL | CCIE_Security] GETVPN multicast rekey Hi all I have an ASA firewall between the key server (KS) and its group members (GM) , where the KS in the inside zone and the GMs are in the outside zone , GMs registered successfully with the KS and traffic is encrypted/decrypted without any problems , but the only problem that the GM's don't receive the rekey messages provided that the rekey is multicast my question is what should be done on the firewall to allow multicast rekeying . thank you Best Regards, Mohamed Shams Senior Network Security Engineer Mob. +971505547296 / +971559814508 (UAE) Mob. +20102340178 (Egypt) _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
