Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1515
Views
15
Helpful
10
Replies

ASA Multicast Inside to Outside to 3850 Switch Help

hoandsons
Level 1
Level 1

‎10-28-2017 10:54 PM - edited ‎02-21-2020 10:37 AM

Hi All,

 

Any help would be much appreicated!

======================================

ASA Version 8.4(4)1

multicast-routing

interface GigabitEthernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address 192.168.255.250 255.255.255.252
igmp static-group 239.190.70.10

!

interface GigabitEthernet0/3
nameif INSIDE
security-level 100
ip address 192.168.100.1 255.255.255.0
igmp join-group 239.190.70.10

interface GigabitEthernet0/1
nameif INSIDE2
security-level 100
ip address 192.168.101.1 255.255.255.0

!

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.255.249

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Cisco 3850
version 15.2

ip routing
ip multicast-routing

interface GigabitEthernet1/1/4
description TO CISCO ASA
no switchport
ip address 192.168.255.249 255.255.255.252
ip pim sparse-mode
!

vlan 100
name MGMT

interface Vlan100
description MGMT
ip address 192.168.0.1 255.255.255.0
ip pim sparse-mode

!
ip pim rp-address 192.168.255.249

ip route 192.168.100.0 255.255.255.0 192.168.255.250
ip route 192.168.101.0 255.255.255.0 192.168.255.250

=====================================================
MULTICAST SOURCE 192.168.100.252 /24

MULTICAST DESTINATION 239.190.70.10

Multicast can be received on receiver on 192.168.101.0/24

Multicast cannot be received on 3850 on VLAN 100.

Multicast looks to be sending to GigabitEthernet1/1/4 (counters for multicast increasing however it stops there).

Can you anyone please help so that multicast can be sent from inside of ASA to outside to a receiver off the 3850 switch?

 

 

 

Labels:
0 Helpful
10 Replies 10

Flavio Miranda
VIP
VIP

‎10-29-2017 08:21 AM - edited ‎10-29-2017 08:48 AM

Hello @hoandsons

I'm trying to understand your setup. Do you have a default route from asa to switch and static router from switch to asa?

 

 

-If I helped you somehow, please, rate it as useful.-

 

hoandsons
Level 1
Level 1
In response to Flavio Miranda

‎10-29-2017 04:15 PM

Hi,

 

There is a default route from ASA to Switch via

!ASA CONFIG

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.255.249

!SWITCH CONFIG

ip route 192.168.100.0 255.255.255.0 192.168.255.250
ip route 192.168.101.0 255.255.255.0 192.168.255.250

 

There are static routes from switch to ASA for both inside interfaces.

 

Cheers

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to hoandsons

‎10-29-2017 04:21 PM

But which is the idea? Packets will be sent from asa to switch through the default route and then they are routed back to asa  through static routes.

Is that what want? Don't make sense to me.

hoandsons
Level 1
Level 1
In response to Flavio Miranda

‎10-30-2017 05:24 AM

Hi,

For example, a host on the inside interface has an IP address of 192.168.100.100 is sending a multicast stream to 239.190.70.10.

The ASA has a default route up to the switch which has multiple VLANs and is routing between them. I only mention one VLAN 100 on the switch but this switch has multiple VLANs. This switch is connected to another router to get to the internet but isnt mentioned here because I thought it was irrelevant. That is why is static routes for particular inside networks off the asa pointing to the asa because this switch as a default route another router to get to the internet.

A host on VLAN 100 with IP address 192.168.0.100 wants to receive this multicast stream is hanging off the switch.

Basically, I would like to find out why I cant get multicast from inside interface on asa to a host on VLAN 100 on the 3850 switch.

Cheers
0 Helpful

Flavio Miranda
VIP
VIP
In response to hoandsons

‎10-30-2017 05:38 AM

Alrghit, that´s make sense. However, unless I am still missing something the Interface vlan 100 must be down on the switch. Can you run the command "show ip int br" on the switch please and share with me?

 

 

 

-If I helped you somehow, please, rate it as useful.-

hoandsons
Level 1
Level 1
In response to Flavio Miranda

‎10-30-2017 07:08 AM

Hi,

Yes you are right, sorry I forgot to mention that there is a interface on that vlan eg:

interface Gi1/0/1
description multicast receiver
switchport access vlan 100
switchport mode access
switchport
no shut

Please note that I can ping between source and destination.
0 Helpful

Flavio Miranda
VIP
VIP
In response to hoandsons

‎10-30-2017 08:05 AM

Now looks to me that ASA may be filtering multicast traffic. 

Did you applied any permission. As far as I can tell, multicast is not permit by default through firewall.

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

hoandsons
Level 1
Level 1
In response to Flavio Miranda

‎11-01-2017 04:32 AM

Hi,

 

I have applied ip any any ACLS and igmp any any on all interfaces just for testing.

 

Cheers

 

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to hoandsons

‎11-01-2017 04:40 AM

humm....dont think so. Multicast requires more than ACL. 

Take a look here  and here.

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Mykitchen
Level 1
Level 1

‎11-07-2017 01:50 PM

 
Preview file
83 KB
Preview file
82 KB
0 Helpful
Customers Also Viewed These Support Documents