Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
531
Views
0
Helpful
3
Replies

ASA Firepower 1010 passing multicast traffic between 2 inside ports

ciscosystems_user
Level 1
Level 1

ā€Ž02-27-2023 10:26 AM

My problem is  traffic broadcast from 2 Microsoft Windows PC one connected to port 1/2 and another connected to port 1/4
The Windows application communicates using these IPs 224.0.0.22 IGMPv3 and 225.0.3.15:5602 UDP and these packets do not pass between these 2 inside interfaces.

How do I get these packets traversing between the 2 inside ports I donā€™t need to go outside the firewall just between these 2 interfaces?    Thanks..

ASA 1010 ver 9.19.1,

Multicast-routing
Same-security-traffic permit inter-interface
Same-security-traffic permit intra-interface

Ethernet1/1
no switchport
nameif outside
security level 50
ipaddress 10.0.100.153

Ethernet1/2
no switchport
bridge-group 1
nameif inside_port2
security level 100

Ethernet1/4
no switchport
bridge-group 1
nameif inside_port4
security level 100

 

 

 

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž02-27-2023 03:02 PM

how about configuring on the interface as below example :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/general/asa-913-general-config/route-multicast.html#ID-2181-00000435

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

ā€Ž02-27-2023 03:23 PM

can I see the all asa config ??

0 Helpful

ciscosystems_user
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-01-2023 06:44 AM

Thanks for the reply,
The asa config I'm trying to get it over to you sanitized, a high secured network over to low side  aka internet.

more background if not I'll try to get the config over to you.

I used the 5506-A and moved to the 1010. Both are being used as a static NAT tool nothing more very under utilized. I need to take 25 IPs, 10.10.10.141... NAT to 167.0.1.141... as an example

The way the 5506-A is configured inside IPs are NATed using OBJECTs to the outside. I realized now 5506-A is set up as a switchport which is why the 2 winodows computers can communicate over 2 ports ie 1/2 and 1/4. Multicast, SMB2 protocls IPs 225.0.3.15:5602 and 224.0.0.22. I have 2 separate Cisco routers/switches that are connected to ASA. This all works.

1010 it does not using  the same network connections.
I started with the overall no switchport setup on Ethernet 1/1, 1/2, 1/4
With the correct setup using no switchport I should be able to get the 2 windows machines talking over 1/2 1/4 ports, If not then I'll start with switchport setup on 1/2, 1/4....

no switchport setup
Outside 1/1 Inside 1/2 bridge-group 1, 1/4 bridge-group 1

 

no switchport,
multicast-routing
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list INSIDE_IGMP extended permit igmp any any
tried all kinds of access-list group-policy rules
examples
access-list INSIDE_IGMP_2_4 extended permit igmp interface inside_port2 interface inside_port4
access-list MULTICAST_224_225 standard permit any4
group-policy INSIDE_IGMP_2_4 internal
group-policy INSIDE_224_225 internal


Any Thoughts, Thanks Cal
I'm not concerned about multicast 224 and 225 IPs going through the firewall only port to port like 1/2, 1/4....

Do you see a way to use no switchport on the ports or do i need to start with switchport and turn the

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card