Re: [OSL | CCIE_Security] Multicast traffic across Transparent firewall

[Johan Bornman]

Thanks, Kings

 

From: Kingsley Charles [mailto:kingsley.char...@gmail.com] 
Sent: 08 September 2010 01:20 PM
To: Johan Bornman
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Multicast traffic across Transparent
firewall

 

When R2 send icmp request to 239.1.2.3

Src   IP = 10.20.30.42
Dest IP = 239.1.2.3

When R1 replies, 

Src  IP = 10.20.30.41
Dest IP = 10.20.30.42

The request was sent to multicast address but the reply is being unicasted.
The reply doesn't match the request session and hence ASA drops the reply. 
Hence we need allow icmp using ACLs not using icmp inspect.


With regards
Kings

On Wed, Sep 8, 2010 at 2:32 PM, Johan Bornman <jo...@isc.co.za> wrote:

Kings,

 

What does "inspection" do to the packet?

 

Johan

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley
Charles
Sent: 08 September 2010 10:33 AM
To: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Multicast traffic across Transparent
firewall

 

Got the problem. I had the icmp inspection enabled. Since the reply was
unicast back to r2, the inspection caused the response to be dropped.
Disabling the icmp inspection, solved issue.


With regards
Kings

On Wed, Sep 8, 2010 at 12:51 PM, Kingsley Charles
<kingsley.char...@gmail.com> wrote:

Hi all

I am trying to send multicast traffic across the ASA in transparent mode.



r1 10.20.30.41 -----------asa----------------- 10.20.30.42 r2
                            10.20.30.47


r1
==

int f0/0
ip igmp join-group 239.1.2.3


ASA
===

access-list inbound permit ip any host 239.1.2.3
access-list outbound permit ip any any

access-group inbound in interface outside
access-group outbound in interface inside


When I ping 239.1.2.3 from r2, I see the counters incremented in the
access-list and also the packet capture shows that R1 replies to multicast
packet. But I don't see replies on R1.
Even if the capture on ASA shows response from R1, I think it is being
dropped by ASA.

Any thoughts?



asa1(config)# sh capture mut

1325 packets captured
   1: 12:18:14.311492 802.3 encap packet
   2: 12:18:16.316267 802.3 encap packet
   3: 12:18:16.316283 802.3 encap packet
   4: 12:18:17.531314 10.20.30.42 > 239.1.2.3: icmp: echo request
   5: 12:18:17.531405 10.20.30.42 > 239.1.2.3: icmp: echo request
   6: 12:18:17.532305 10.20.30.41 > 10.20.30.42: icmp: echo reply
   7: 12:18:18.320967 802.3 encap packet
   8: 12:18:18.320982 802.3 encap packet
   9: 12:18:20.325865 802.3 encap packet
  10: 12:18:20.325880 802.3 encap packet
  11: 12:18:20.616987 001b.d585.7889 001b.d585.7889 0x9000 60:


With regards
Kings

 

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com