Multicasts with PIX506e

Unanswered Question
Jul 29th, 2008
User Badges:

I need help temp setting up to allow multicasts through my PIXs at my remote sites. Basically here's what I need:


I am using Altiris Deployment Console for HP Thin Clients and all thin clients are setup to find the deployment console server through multicasts and once it finds it it remembers and configures itself with the IP address for the server.


I could remote into every thin client and manual set the ip for the server although with over 250 thin clients thats a little crazy.


So if I can temp setup multicast at all remote sites then it will be able to multicast back here and find the server and auto set the ip. Once it auto sets the ip I can turn off multicasting.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 07/29/2008 - 08:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jonathan,


give a look at the following link for 6.3 code

that describes stub multicast routing


http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1170913


this can be done in different way in later code versions so check what version you have.


Hope to help

Giuseppe

readymixed1 Tue, 07/29/2008 - 08:32
User Badges:

is this what I put in?


mroute 1.1.1.1 255.255.255.255 inside 225.1.2.3 255.255.255.255 outside


basically saying all traffic from inside goes outside remote network.


And I checked the thin clients and they are using 225.1.2.3 for multicasting address.

Giuseppe Larosa Tue, 07/29/2008 - 09:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello,


from the document an example


mroute is good on router I don't know for PIX , what version is your PIX ?


please do a sh ver and post it here


Controlled multicast:



multicast interface outside




igmp access-group 1


multicast interface inside


igmp forward interface outside


igmp access-group 1


multicast interface dmz


igmp forward interface outside


igmp access-group 1


! The following permits igmp messages to 225.2.1.0/25 network


access-list 1 permit igmp any 225.2.1.0 255.255.255.128


access-list 1 deny ip any any


Hope to help

Giuseppe


Giuseppe Larosa Tue, 07/29/2008 - 09:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello,

ok so the link I've provided is good for you


read it and start from the previous example and change it as needed


Hope to help

Giuseppe

readymixed1 Tue, 07/29/2008 - 09:24
User Badges:

So I can't do the mroute 1.1.1.1 255.255.255.255 inside command?

readymixed1 Tue, 07/29/2008 - 10:21
User Badges:

I read the link that provided to me eariler. The igmp part of it seems to be for if the clients need to accept a multicast. The clients don't, the clients are the one sending the multicasts out to the deployment server once they find the server that way they change the address from the multicast address to the server address. So since the clients are sending the multicasts out I need to use the mroute command right? I tried the mroute and it didn't work. It all entered in right but the thin client couldn't find the server using multicast.

readymixed1 Tue, 07/29/2008 - 10:56
User Badges:

I tried this:


multicast interface outside

igmp access-group 1

multicast interface inside

igmp forward interface outside

igmp access-group 1

access-list 100 permit udp 225.1.2.0 255.255.255.128

access-list 100 in interface outside

access-list 1 permit igmp any 225.1.2.0 255.255.255.128


Didn't work, and it wouldn't accept the 2 commands relating to access-list 100.



Giuseppe Larosa Tue, 07/29/2008 - 12:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jonathan,


ok in the same document explains what you need mroute + multicast interface


Step 1 Enable multicast forwarding on each PIX Firewall interface by entering the following command:


multicast interface interface-name


mroute src smask in-if-name dst dmask out-if-name



•Replace src and smask with the IP address and subnet mask of the multicast source.


•Replace in-if-name with the name of the PIX Firewall interface connected to the multicast source. This is typically the inside (or more secure) interface.


•Replace dst and dmask with the Class D address and subnet mask for the multicast transmission from the source.


•Replace out-if-name with the name of the PIX Firewall interface connected to the next-hop router interface toward the hosts registered to receive the transmission. This is typically the outside (or less secure) interface.



p.s. your access-list 100 has syntax errors


Sorry for the misunderstanding of your needs


Hope to help

Giuseppe

readymixed1 Tue, 07/29/2008 - 12:39
User Badges:

Like I said before, I tried the mroute commands, it didn't work.


Well the access-list 100 commands came straight from the link you provided.

Giuseppe Larosa Tue, 07/29/2008 - 12:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member



to complete the solution


you need to declare your interfaces as multicast interfaces


please read the previous messages more carefully


I go to sleep now


Good luck


Bye

Giuseppe


readymixed1 Tue, 07/29/2008 - 12:47
User Badges:

Go back to sleep then,


Cause you need to read previous messages more carefully, because I did declare interfaces are multicast interfaces.

Actions

This Discussion