Without jumping into tons of details and making this post super long, are there any gotchas to know about with multicast routing and an ASA? I think I've set it up correctly as I can stream from a receiver on the "inside" trusted network of the ASA without issue from a source "outside" on the untrusted network (the RP is also on the outside network of the ASA), but the reverse is not true. If the source is on the inside of the ASA, I can see multicast traffic on the client which is outside of the ASA, but nothing ever shows up on the screen. In other words, there's no audio/video, or maybe occasionally you'll hear a blip of sound. It seems the stream is being found, but the data isn't making it there correctly or something.
To be brief, we've set "ip pim sparse-mode" on all interfaces between client and server including the RP, multicast routing is set on all multilayer switches (Cisco), and multicast routing has been set on the ASA as well. The "pim rp-address" is set to the RP IP address on the outside of the ASA on all switches and the ASA itself.
PAT is used for the clients on the inside network of the ASA outbound, so private network addresses are not exposed outside, and the outside router does not have routes to the private IP space of the inside network, even though they do not overlap. The public PAT IP addresses are set as static routes pointing to the outside firewall interface from the next hop multilayer switch, so allows for the communication between the two networks.
Things I've tried so far - no-NATing the inside PIM router IP address destined for the RP and allowing PIM from this router IP address to the RP on the outside_access_out access list (it gets hit, but I don't know if it's a bidirectional communication, and if it is supposed to be, it's probably failing because of the lack of routes on the outside PIM router).
I'm not sure if NAT is screwing stuff up here somehow, but I don't know what would be needed to keep NAT from interfering with just the multicast traffic if so. I've noticed that if NAT is disabled, and routes are added between the outside switch to our internal networks, then multicast works in this direction, but it's not something possible in the real setup.
I'm sure I might be missing some helpful details, let me know and I'll try to fill in the missing detail.
No comments:
Post a Comment