Consider the following basic topology:
When configured in multicast mode, MS NLB will use a 03xx.xxxx.xxxx multicast address outside of the IANA range.
Normally, when there is no FWSM in path between client and NLB servers, you configure the switch in the way described here:
or here:
https://supportforums.cisco.com/thread/2052888
In short, you need to add static ARP entries to your switches that route into the NLB VLAN (this is necessary as the clients are going to access the NLB cluster at its unicast IP which is tied to the multicast MAC, and Cisco devices do not accept an arp reply for a unicast IP address that contains a multicast MAC address.)
arp 172.16.63.241 <multicast MAC of the VIP>
and to add static MAC entries (fa2/3 and 2/4 are the switch ports the servers are connected to):
mac-address-table static <multicast MAC of the VIP> vlan 200 interface fa2/3 fa2/4
Now, consider the following topology, where we add a transparent FWSM bridging vlan 200 and 300:
If the NLB cluster is configured in multicast mode, the traffic going to the servers will be dropped by the FWSM, even though the switch is configured correctly. This is because the FWSM does not allows multicast MAC addresses outside of the IANA range through, when in bridged mode:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/fwmode_f.html#wp1222689
The solution is to configure the NLB cluster in Multicast mode with IGMP support, so that the virtual mac-address of the NLB VIP will be in the IANA range 0100.5Exx.xxxxx. Here is a link showing how to configure the NLB cluster accordingly: