When R2 send icmp request to 239.1.2.3 Src IP = 10.20.30.42 Dest IP = 239.1.2.3
When R1 replies, Src IP = 10.20.30.41 Dest IP = 10.20.30.42 The request was sent to multicast address but the reply is being unicasted. The reply doesn't match the request session and hence ASA drops the reply. Hence we need allow icmp using ACLs not using icmp inspect. With regards Kings On Wed, Sep 8, 2010 at 2:32 PM, Johan Bornman <[email protected]> wrote: > Kings, > > > > What does “inspection” do to the packet? > > > > Johan > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* 08 September 2010 10:33 AM > *To:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Multicast traffic across Transparent > firewall > > > > Got the problem. I had the icmp inspection enabled. Since the reply was > unicast back to r2, the inspection caused the response to be dropped. > Disabling the icmp inspection, solved issue. > > > With regards > Kings > > On Wed, Sep 8, 2010 at 12:51 PM, Kingsley Charles < > [email protected]> wrote: > > Hi all > > I am trying to send multicast traffic across the ASA in transparent mode. > > > > r1 10.20.30.41 -----------asa----------------- 10.20.30.42 r2 > 10.20.30.47 > > > r1 > == > > int f0/0 > ip igmp join-group 239.1.2.3 > > > ASA > === > > access-list inbound permit ip any host 239.1.2.3 > access-list outbound permit ip any any > > access-group inbound in interface outside > access-group outbound in interface inside > > > When I ping 239.1.2.3 from r2, I see the counters incremented in the > access-list and also the packet capture shows that R1 replies to multicast > packet. But I don't see replies on R1. > Even if the capture on ASA shows response from R1, I think it is being > dropped by ASA. > > Any thoughts? > > > > asa1(config)# sh capture mut > > 1325 packets captured > 1: 12:18:14.311492 802.3 encap packet > 2: 12:18:16.316267 802.3 encap packet > 3: 12:18:16.316283 802.3 encap packet > 4: 12:18:17.531314 10.20.30.42 > 239.1.2.3: icmp: echo request > 5: 12:18:17.531405 10.20.30.42 > 239.1.2.3: icmp: echo request > 6: 12:18:17.532305 10.20.30.41 > 10.20.30.42: icmp: echo reply > 7: 12:18:18.320967 802.3 encap packet > 8: 12:18:18.320982 802.3 encap packet > 9: 12:18:20.325865 802.3 encap packet > 10: 12:18:20.325880 802.3 encap packet > 11: 12:18:20.616987 001b.d585.7889 001b.d585.7889 0x9000 60: > > > With regards > Kings > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
