Encapsulating multicast traffic over an IPSEC tunnel in a specific topology

Posted on 2004-10-04
Last Modified: 2013-11-16
Hello.  First time posting here.

Below is the topology of the relevant portion of my network:

PIX 506 --> Cisco 1721 --> Internet --> Cisco 1721 --> PIX 515

I'm trying to set up a VPN.  I've succefully established a VPN tunnel and can communicate in both directions.  However, I have a problem.  I need to pass multicast traffic through this tunnel and this is not possible via a PIX-to-PIX tunnel.  To allow this, I've been told I first need to encapsulate traffic with GRE (a function normally performed by routers).  The problem I have is in my topology:  my 1721 routers lay beyond my PIX firewalls, preventing me the ability to encaspulate the multicast traffic BEFORE it hits the PIX.  I've spoken briefly with two Cisco engineers.  One said it was impossible without a topology change and the other said he thought it was possible, but he couldn't offer advice beyond that.

Does anyone have advice on this?


Question by:meade470
  • 4
  • 3
LVL 79

Expert Comment

ID: 12217891
I know you don't want to hear it, but you may have to add another router on the inside of each pix and create GRE tunnels "through" the pixs.


Author Comment

ID: 12236911
Thanks, lrmoore.  It seems you are correct, as two TAC engineers have confirmed the same.  Thanks for your input.

I have a question.  What would be the "protocol" on allocating points in this situation?  Do I give lrmoore full/partial?

LVL 79

Expert Comment

ID: 12237504
Follow your gut on the disposition of this question. We can't just abandon it, and I did provide good information.
Perhaps accept with a "B" grade?
In case you don't know about the affects of the grades, we get Expert points awarded as multiples of the point value, based on grade. An A gets 4x point value, B is 3x, C is 2x point value. Most experts really frown on C as a failing grade. If I can provide more information for you to get that "A", I certainly will..

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.


Author Comment

ID: 12237890
Thanks, lrmoore!  I will award you the "A", but I do have another related question, if you don't mind.  :)

Why use perimeter routers in the first place?  What purpose do they serve in my particular environment?  Wouldn't it be possilble to surround the perimeter with PIXs?  (I've seen this config in samples.)  My perimeter routers have extremely basic configs; all they really do is specify an IP on an ethernet port, a Frame/DLCI config on a serial port, and point the way to the internet via a static route.   Does the Frame/DLCI config require a router?  Can it not be set on a PIX?  Or does it have something to do with the limited number of physical port on the PIX?  (I have a 515, btw.)

Thanks a bunch for your help, and high praise for your CCIE pass!  I'm a lowly CCNA :)

LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 12238290
You've answered your own question, you just don't realize it.
Perimeter routers serve two purposes 1) LAN/WAN gateway - frame-relay to Ethernet routing between different physical media type.  2) can act as a screening access router to filter out specific traffic before it ever hits the firewall. Less work for the firewall, better performance. Also part of any good "defense in depth" strategy...

>Does the Frame/DLCI config require a router?  Can it not be set on a PIX?
No, the PIX, nor most any other firewall, has any capacity to connect directly to WAN interface types.
Yes, you need a router just for that function. Unless your WAN terminates at your premises with an Ethernet handoff, you need the router. DSL/cable modems are two that are usually provided by the ISP and hand you and ethernet feed. In this case you don't need the extra layer of a router.
Almost any other media type - T1, T3, OC-3, high-speed serial, etc. will require a router.

HTH!   CCNP can't be too far ahead for you, right?

Author Comment

ID: 12239097
Cool!  Thanks a ton.  I really appreciate your time and valuable insight.  

Just minutes ago I discovered a workaround for this mulitcasting problem:  We can set up our mainframe application that requires multicast (user authentication only) to go to "directed host."  Better, more secure, and capable of VPN in current network top.

CCNP training will begin in late 2005.  In school I'm studying Microsoft, Checkpoint, and general network security.  (Our IT staff requires the wearing of many hats.)

See you around ;)
LVL 79

Expert Comment

ID: 12239135
Best of luck to you!


Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cisco VIRL 3 45
Cisco universal IOS upgrade from ipbase to ipservices 4 62
Auto Smartport macro for Dell and HP laptops 2 53
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now