cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
520
Views
0
Helpful
12
Replies

Multicasts with PIX506e

readymixed1
Level 1
Level 1

I need help temp setting up to allow multicasts through my PIXs at my remote sites. Basically here's what I need:

I am using Altiris Deployment Console for HP Thin Clients and all thin clients are setup to find the deployment console server through multicasts and once it finds it it remembers and configures itself with the IP address for the server.

I could remote into every thin client and manual set the ip for the server although with over 250 thin clients thats a little crazy.

So if I can temp setup multicast at all remote sites then it will be able to multicast back here and find the server and auto set the ip. Once it auto sets the ip I can turn off multicasting.

Thanks.

12 Replies 12

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Jonathan,

give a look at the following link for 6.3 code

that describes stub multicast routing

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1170913

this can be done in different way in later code versions so check what version you have.

Hope to help

Giuseppe

is this what I put in?

mroute 1.1.1.1 255.255.255.255 inside 225.1.2.3 255.255.255.255 outside

basically saying all traffic from inside goes outside remote network.

And I checked the thin clients and they are using 225.1.2.3 for multicasting address.

Hello,

from the document an example

mroute is good on router I don't know for PIX , what version is your PIX ?

please do a sh ver and post it here

Controlled multicast:

multicast interface outside

igmp access-group 1

multicast interface inside

igmp forward interface outside

igmp access-group 1

multicast interface dmz

igmp forward interface outside

igmp access-group 1

! The following permits igmp messages to 225.2.1.0/25 network

access-list 1 permit igmp any 225.2.1.0 255.255.255.128

access-list 1 deny ip any any

Hope to help

Giuseppe

6.3.5 is my ver

Hello,

ok so the link I've provided is good for you

read it and start from the previous example and change it as needed

Hope to help

Giuseppe

So I can't do the mroute 1.1.1.1 255.255.255.255 inside command?

I read the link that provided to me eariler. The igmp part of it seems to be for if the clients need to accept a multicast. The clients don't, the clients are the one sending the multicasts out to the deployment server once they find the server that way they change the address from the multicast address to the server address. So since the clients are sending the multicasts out I need to use the mroute command right? I tried the mroute and it didn't work. It all entered in right but the thin client couldn't find the server using multicast.

I tried this:

multicast interface outside

igmp access-group 1

multicast interface inside

igmp forward interface outside

igmp access-group 1

access-list 100 permit udp 225.1.2.0 255.255.255.128

access-list 100 in interface outside

access-list 1 permit igmp any 225.1.2.0 255.255.255.128

Didn't work, and it wouldn't accept the 2 commands relating to access-list 100.

Hello Jonathan,

ok in the same document explains what you need mroute + multicast interface

Step 1 Enable multicast forwarding on each PIX Firewall interface by entering the following command:

multicast interface interface-name

mroute src smask in-if-name dst dmask out-if-name

•Replace src and smask with the IP address and subnet mask of the multicast source.

•Replace in-if-name with the name of the PIX Firewall interface connected to the multicast source. This is typically the inside (or more secure) interface.

•Replace dst and dmask with the Class D address and subnet mask for the multicast transmission from the source.

•Replace out-if-name with the name of the PIX Firewall interface connected to the next-hop router interface toward the hosts registered to receive the transmission. This is typically the outside (or less secure) interface.

p.s. your access-list 100 has syntax errors

Sorry for the misunderstanding of your needs

Hope to help

Giuseppe

Like I said before, I tried the mroute commands, it didn't work.

Well the access-list 100 commands came straight from the link you provided.

to complete the solution

you need to declare your interfaces as multicast interfaces

please read the previous messages more carefully

I go to sleep now

Good luck

Bye

Giuseppe

Go back to sleep then,

Cause you need to read previous messages more carefully, because I did declare interfaces are multicast interfaces.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: