Extend multicast over Remote Access VPN on an ASA

Extend multicast over Remote Access VPN on an ASA
Has anybody done this before?

I was hoping that it would be as straightforward as configuring the ASA to encrypt the source going to the destination multicast address and turning on multicast.

Multicast is enabled on a few VLANs on the inside switches including the routing VLAN.  If a device were in the routing VLAN it would receive the multicast.  I have set the VPN pool of IPs to a subset of the range used for the routing VLAN in the hope that the switch would be deceived and think a remote access user is just on the LAN but out the interface connected to the ASA.

I think this would work if we multicasted to a non-multicast address and assigned the non-multicast address pool to the remote access users.  However we have to use a multicast address and the ASA is specifically having issues propagating the multicast from the inside interface to the outside interface and down the VPN tunnel.

I have read that you can’t do multicast over IPSEC  (there is no mention of multicast over L2TP) but not on a Cisco site; however I can’t find any Cisco site that explains how to do it

Many thanks if you can help!

Config so far:

Multi casting to address (and eventually the whole class C and more)
Currently this is propagated around the switches using this config on each interface that I want to forward multicast frames:

ip multicast-routing distributed
interface Vlan156
 ip pim version 1 (2 not available!)
 ip pim sparse-dense-mode

& on P2P links

On the ASA I have


interface Vlan1
 nameif inside
 ip address xxxxx
 security-level 100
 ip address  igmp forward interface outside
 igmp join-group

interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxx
 igmp join-group

-- played around with the above a bit trying a number of combinations.

access-list inside_nat0_outbound extended permit ip
& other statements – the above encrypts the source of the multicast going to the multicast address
access-list VPN_splitTunnelAcl standard permit

use pfs on VPN so no need for cryptomap ACL
Who is Participating?
MatscoConnect With a Mentor Author Commented:
Thanks for your help - I will assume multicast over IPSEC is not possible and just get a new router at the client site so we can do a GRE tunnel.  Cheers,
Istvan KalmarHead of IT Security Division Commented:

IPSEC not support multicast!

Best regards,
MatscoAuthor Commented:
Are you 100% on that - there's no way to trick the switch infrastructure/ASA to make it work?
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

MatscoAuthor Commented:
I thought hairpinning on an ASA was not possible - allowing Remote Access users to connect to other sites connected to the ASA via site-to-site VPNS - but configuring this was easy...
Istvan KalmarHead of IT Security Division Commented:
do you able to encapsulate multicast packets to unicast?
MatscoAuthor Commented:
that's something I thought I could do - statically map the multicast address to the VPN Pool IP addresses, either on the switch or on the firewall - it's not ideal though as not very flexible if we want to start using another milticast address and multicast to multiple remote access VPN users
All Courses

From novice to tech pro — start learning today.