Need help with routing Multicasting thru ASA firewall

[rottie89]

Hello,

I am trying to run multicast through a Cisco ASA 5500 firewall with a 3640 on the inside network & a 3640 on the outside & unable to do so. The physical setup is:

InsideRTR 10.0.0.2 (FE0/0)---------------->(E0)10.0.0.1 InsideASA------OutsideASA 172.16.1.1(E1)----------------------------->(FE0/0) 172.16.1.2 OutsideRTR 192.168.1.1(FE1/0)------------------->192.168.1.2 FarOutside Router

Inside RTR = R1
ASA = ASA
Outside RTR = R2
Far Outside RTR = R3

I have used the R2 router as my RP & I am sending pings to multicast address from both the R3 & R2 router & have R1 use an "IGMP join-group 224.1.2.3" from it's FE0/0 interface. It is unsuccessful. If I send pings to 224.1.2.3 from R3 & use "IGMP join-group 224.1.2.3" from the FE1/0 interface on R2 it does work & I get a ping response back on R3.

The configs look like this:

ASA:

!
hostname ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
multicast-routing
names
!
interface Ethernet0
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet1
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
pim rp-address 172.16.1.2
ftp mode passive
access-list outside_access_inbound extended permit icmp any any echo-reply
access-list outside_access_inbound extended permit icmp any any time-exceeded
access-list outside_access_inbound extended permit icmp any any unreachable
access-list outside_access_inbound extended permit icmp any any echo
access-list outside_access_inbound extended permit ip any host 224.1.2.3
access-list outside_access_inbound extended deny ip any any
pager lines 24
logging monitor debugging
logging buffered debugging
logging trap debugging
mtu inside 1500
mtu outside 1500
mroute 192.168.1.2 255.255.255.255 outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no threat-detection statistics tcp-intercept
access-group outside_access_inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
!


ASA# sh mroute
No mroute entries found.
ASA#
ASA# sh pim neighbor

Neighbor Address Interface Uptime Expires DR pri Bidir

172.16.1.2 outside 00:45:31 00:01:39 1 (DR)
10.0.0.2 inside 00:45:31 00:01:38 1 (DR)


This is being run on a virtual network (GNS3), & I have been trying to make this work for a couple weeks. Any help would be greatly appreciated!!!!

Thanks!!

Rottie89

 

[brianinms]

I highly doubt you are going to get multicast working properly in a virtual environment.

 

[rottie89]

Hi Brianinms,

Thanks for your response. With that being said, would this be a legitimate configuration on a real network?