Encapsulating multicast traffic over an IPSEC tunnel in a specific topology

Posted on 2004-10-04
Last Modified: 2013-11-16
Hello.  First time posting here.

Below is the topology of the relevant portion of my network:

PIX 506 --> Cisco 1721 --> Internet --> Cisco 1721 --> PIX 515

I'm trying to set up a VPN.  I've succefully established a VPN tunnel and can communicate in both directions.  However, I have a problem.  I need to pass multicast traffic through this tunnel and this is not possible via a PIX-to-PIX tunnel.  To allow this, I've been told I first need to encapsulate traffic with GRE (a function normally performed by routers).  The problem I have is in my topology:  my 1721 routers lay beyond my PIX firewalls, preventing me the ability to encaspulate the multicast traffic BEFORE it hits the PIX.  I've spoken briefly with two Cisco engineers.  One said it was impossible without a topology change and the other said he thought it was possible, but he couldn't offer advice beyond that.

Does anyone have advice on this?


Question by:meade470
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 79

Expert Comment

ID: 12217891
I know you don't want to hear it, but you may have to add another router on the inside of each pix and create GRE tunnels "through" the pixs.


Author Comment

ID: 12236911
Thanks, lrmoore.  It seems you are correct, as two TAC engineers have confirmed the same.  Thanks for your input.

I have a question.  What would be the "protocol" on allocating points in this situation?  Do I give lrmoore full/partial?

LVL 79

Expert Comment

ID: 12237504
Follow your gut on the disposition of this question. We can't just abandon it, and I did provide good information.
Perhaps accept with a "B" grade?
In case you don't know about the affects of the grades, we get Expert points awarded as multiples of the point value, based on grade. An A gets 4x point value, B is 3x, C is 2x point value. Most experts really frown on C as a failing grade. If I can provide more information for you to get that "A", I certainly will..

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


Author Comment

ID: 12237890
Thanks, lrmoore!  I will award you the "A", but I do have another related question, if you don't mind.  :)

Why use perimeter routers in the first place?  What purpose do they serve in my particular environment?  Wouldn't it be possilble to surround the perimeter with PIXs?  (I've seen this config in samples.)  My perimeter routers have extremely basic configs; all they really do is specify an IP on an ethernet port, a Frame/DLCI config on a serial port, and point the way to the internet via a static route.   Does the Frame/DLCI config require a router?  Can it not be set on a PIX?  Or does it have something to do with the limited number of physical port on the PIX?  (I have a 515, btw.)

Thanks a bunch for your help, and high praise for your CCIE pass!  I'm a lowly CCNA :)

LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 12238290
You've answered your own question, you just don't realize it.
Perimeter routers serve two purposes 1) LAN/WAN gateway - frame-relay to Ethernet routing between different physical media type.  2) can act as a screening access router to filter out specific traffic before it ever hits the firewall. Less work for the firewall, better performance. Also part of any good "defense in depth" strategy...

>Does the Frame/DLCI config require a router?  Can it not be set on a PIX?
No, the PIX, nor most any other firewall, has any capacity to connect directly to WAN interface types.
Yes, you need a router just for that function. Unless your WAN terminates at your premises with an Ethernet handoff, you need the router. DSL/cable modems are two that are usually provided by the ISP and hand you and ethernet feed. In this case you don't need the extra layer of a router.
Almost any other media type - T1, T3, OC-3, high-speed serial, etc. will require a router.

HTH!   CCNP can't be too far ahead for you, right?

Author Comment

ID: 12239097
Cool!  Thanks a ton.  I really appreciate your time and valuable insight.  

Just minutes ago I discovered a workaround for this mulitcasting problem:  We can set up our mainframe application that requires multicast (user authentication only) to go to "directed host."  Better, more secure, and capable of VPN in current network top.

CCNP training will begin in late 2005.  In school I'm studying Microsoft, Checkpoint, and general network security.  (Our IT staff requires the wearing of many hats.)

See you around ;)
LVL 79

Expert Comment

ID: 12239135
Best of luck to you!


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question