Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
1
Replies

Multicast Routing with ASA5545 running ASA version 9.6

ji.bala93
Level 1
Level 1

‎08-22-2019 04:24 AM

Hello All,

I need assistance in configuring Multicast Routing in ASA Firewall. Below are the networks configured in ASA.

ASA Version 9.6(3)1
!
hostname SLAN-FW
enable password hyGr3et4sA6RMg7j encrypted
passwd hyGr3et4sA6RMg7j encrypted
multicast-routing
names

!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.2
vlan 2
nameif MGMT
security-level 100
ip address 10.239.4.1 255.255.255.128
!
interface GigabitEthernet0/0.11
vlan 11
nameif SCCTV
security-level 100
ip address 10.239.0.1 255.255.252.0
no pim
!
interface GigabitEthernet0/0.12
vlan 12
nameif ACS
security-level 100
ip address 10.239.5.1 255.255.255.0
no pim
!
interface GigabitEthernet0/0.16
vlan 16
nameif IDS
security-level 100
ip address 10.239.6.1 255.255.255.128
!

 

 

I have created ACL for the interfaces

 

access-list Outside_access_in extended permit ip object Loopback-outside 10.239.0.0 255.255.252.0
access-list Outside_access_in extended permit ip object Existing-Client 10.239.0.0 255.255.252.0
access-list Outside_access_in extended permit icmp object Existing-Client 10.239.0.0 255.255.252.0
access-list SCCTV_access_out_1 extended permit ip 10.239.5.0 255.255.255.0 10.239.0.0 255.255.252.0
access-list SCCTV_access_out_1 extended permit ip 10.239.6.128 255.255.255.128 10.239.0.0 255.255.252 .0
access-list ACS_access_in extended permit ip object ACS-network object SCCTV-network
access-list ACS_access_out_1 extended permit ip object SCCTV-network object ACS-network
access-list SCCTV_access_in_2 extended permit ip 10.239.0.0 255.255.252.0 10.239.5.0 255.255.255.0
access-list SCCTV_access_in_2 extended permit ip 10.239.0.0 255.255.252.0 10.239.6.128 255.255.255.12 8
access-list SCCTV_access_in_2 extended permit ip object Multicast any
access-list ACS_access_out extended permit ip 10.239.0.0 255.255.252.0 10.239.5.0 255.255.255.0
access-list ACS_access_out extended permit ip 10.239.6.0 255.255.255.128 10.239.5.0 255.255.255.0
access-list ACS_access_out extended permit ip 10.239.6.128 255.255.255.128 10.239.5.0 255.255.255.0
access-list ACS_access_in_1 extended permit ip 10.239.5.0 255.255.255.0 10.239.0.0 255.255.252.0
access-list ACS_access_in_1 extended permit ip 10.239.5.0 255.255.255.0 10.239.6.0 255.255.255.128
access-list ACS_access_in_1 extended permit ip 10.239.5.0 255.255.255.0 10.239.6.128 255.255.255.128
access-list IDS_access_out extended permit ip 10.239.5.0 255.255.255.0 10.239.6.0 255.255.255.128
access-list INTERCOM_access_out extended permit ip 10.239.5.0 255.255.255.0 10.239.6.128 255.255.255. 128
access-list INTERCOM_access_out extended permit ip 10.239.0.0 255.255.252.0 10.239.6.128 255.255.255. 128
access-list INTERCOM_access_in extended permit ip 10.239.6.128 255.255.255.128 10.239.5.0 255.255.255 .0
access-list INTERCOM_access_in extended permit ip 10.239.6.128 255.255.255.128 10.239.0.0 255.255.252 .0
access-list IDS_access_in_1 extended permit ip 10.239.6.0 255.255.255.128 10.239.5.0 255.255.255.0

 

Now that SCCTV interface which has Multicast source needs to be routed to ACS Interface.

As it looks similar to inter VLAN Routing, Where do enable PIM Sparse-dense mode.

 

Kindly advise where to start from.

 

Thank you

Balaji Kannan

 

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-22-2019 05:17 AM - edited ‎08-22-2019 05:28 AM

Hello Balaji,

>> As it looks similar to inter VLAN Routing, Where do enable PIM Sparse-dense mode.

 

You need to enable

ip multicast-routing

 

Edit: you have multicast-routing configured this should be fine for ASA.

 

in global config and then ip pim sparse-dense mode on all interfaces where a source or potential receivers connect to.

Edit: the pim command in interface mode

 

When enabling PIM on an interface you are also enabling IGMP version 2 that deals with hosts handling receivers requests.

PIM is required to perform multicast routing on interfaces to other multicast enabled L3 devices like routers or multilayer switches.

 

Note:

you may need to modify your ACLs to allow multicast traffic to flow.

 

Firewalls are not used for multicast routing in most scenarios.

 

Hope to help

Giuseppe

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card