Guys,
As you guys are throwing stuff out without truly understanding the topic I will give you the configuration you should do :-) KS <global> ip multicast-routing ip pim rp-address <key-server-address> ! <interfaces> ip pim sparse-mode ASA <global> multicast-routing pim rp-address <key-server-address> <interfaces> pim (Make sure you are also allowing the traffic from the GM to the KS) GM <global> ip multicast-routing ip pim rp-address <key-server-address> ! <interfaces> ip pim sparse-mode So the ASA supports running in stub multicast mode, pim sparse-mode, or pim bidir mode. Now because the KS and GM are directly connected to the ASA and you didn't enable PIM it is forwarding out the interfaces without checking whether it should or not. But if you want to properly configure multicast routing the configuration that I have given you above is the correct configuration. Bartlett, With your first configuration you were adding the multicast group statically to the GM's. That is not necessary as they will request group membership for the multicast group as soon as they register with the keyserver. The configuration below is not proper either as SSM relies on IGMP version 3 or version 3 lite. Neither of these are shown and configuring SSM is probably one of the more complex multicast implementations you can do. SSM is designed for when you want to run multicast thru a ISP network or the internet and you need to announce your networks using BGP MDT address families. Very important to know for the Service Provider test. Not too applicable to the Security test. I have actually spent a great deal of time adding this information into the updated material for the Video on Demand that I hope to be finished with later this week. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Bartlett Graham A Sent: Tuesday, March 09, 2010 8:31 AM To: 'Kingsley Charles' Cc: [email protected] Subject: Re: [OSL | CCIE_Security] GETVPN and multicast through ASA >From memory I based my config on the following information and testing in my lab. To repeat myself again "I'm not 100% sure if this is the correct config, but I know that it worked for me.." ;-) http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7 180/deployment_guide_c07_554713.html Group Member Configuration for Multicast Rekey Following configuration need to be added to the GMs to receive multicast rekey. This can be used only if multicast routing is enabled on rest of the network. Below configuration uses SSM for multicast. The configuration may need to be changed according to the existing multicast mechanism deployed in the network. ip multicast-routing ! Enable SSM ip igmp ssm-map enable ip pim ssm range 1 ! ACL used in ssm range command access-list 1 permit 239.192.1.190 0.0.0.0 interface FastEthernet4 ! Interface where crypto map is applied ip pim sparse-mode ! Join for each KS serving the group ip igmp join-group 239.192.1.190 source <IP-Addr-of-KS-1> ip igmp join-group 239.192.1.190 source <IP-Addr-of-KS-2> _____ From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: 09 March 2010 11:58 To: Bartlett Graham A Cc: [email protected] Subject: Re: [OSL | CCIE_Security] GETVPN and multicast through ASA Hi Bartlett Why do you need the following on GM: ip igmp join-group multicast_address ip multicast-routing When the GMs downloads the rekey policy, it starts listening to the multicast address sent the KS though the ACL having the multicast address. There is no need to enable multicast routing and join-group. Either ASA should be configured as SMR-IGMP proxy where is just forwards the IGMP or make the ASA as part of the mutlicasting routing.\ With regards Kings On Tue, Mar 9, 2010 at 4:48 PM, Bartlett Graham A <[email protected]> wrote: >From my notes with the KS on the inside of the ASA, from memory this worked and the rekey was performed using multicast. I'm not 100% sure if this is the correct config, but I know that it worked for me.. On the ASA you need an ACL to allow multicast traffic in. pim multicast-routing pim rp-address address_of_KS on KS ip multicast-routing ip pim sparese-mode ip pim rp-address address_of_KS on GM ip igmp join-group multicast_address ip multicast-routing _____ From: [email protected] [mailto:[email protected]] On Behalf Of Michael Davis Sent: 09 March 2010 11:03 To: Badar Farooq Cc: [email protected] Subject: Re: [OSL | CCIE_Security] GETVPN and multicast through ASA Hi - Yes it took a while. It has stopped working. When I issued the "clear crypto isakmp" command it stopped working. So now I can try to work out how to get the multicast through the ASA. From: Badar Farooq [mailto:[email protected]] Sent: Tuesday, March 09, 2010 9:56 PM To: Michael Davis Cc: [email protected] Subject: Re: [OSL | CCIE_Security] GETVPN and multicast through ASA Well, the registration would work fine. Reduce the rekey restransmit time to minimum and run debugs on the GMs to see if you are receiving rekeys once they are retransmitted. ( alternatively, you can change the ACL to force a rekey). But remember, clearing GDOI on GMs or any change on GMs will cause re-registration which will work fine. (Its unicast and in opposite direction) With ASA in between multicast rekey should NOT work. But lets first make sure its not working and then we can implement the workarounds later. On Tue, Mar 9, 2010 at 1:49 PM, Michael Davis <[email protected]> wrote: Hi Everyone - I configured a GETVPN using 3 1760's running 12.4 (15)T. I put an ASA 5510 between the KS and the 2 GM's. I set the keying as unicast which worked fine. I changed the keying to multicast and it is still working?? Shouldn't I have to do something on the ASA to pass multicast traffic for GETVPN. I vaguely remember Tyson doing this in the bootcamp to make it work so I am a bit confused. Can anyone please clarify what we need to do if a getvpn using multicast keys traverses an ASA or another router? Thanks Michael _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> "This e-mail is intended for the recipient only. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely upon this e-mail. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail." "Recipients should note that all e-mail traffic on MOD systems is subject to monitoring and auditing." _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> "This e-mail is intended for the recipient only. If you are not the intended recipient you must not use, disclose, distribute, copy, print, or rely upon this e-mail. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail." "Recipients should note that all e-mail traffic on MOD systems is subject to monitoring and auditing."
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
