Extend multicast over Remote Access VPN on an ASA
Extend multicast over Remote Access VPN on an ASA
Has anybody done this before?
I was hoping that it would be as straightforward as configuring the ASA to encrypt the source going to the destination multicast address and turning on multicast.
Multicast is enabled on a few VLANs on the inside switches including the routing VLAN. If a device were in the routing VLAN it would receive the multicast. I have set the VPN pool of IPs to a subset of the range used for the routing VLAN in the hope that the switch would be deceived and think a remote access user is just on the LAN but out the interface connected to the ASA.
I think this would work if we multicasted to a non-multicast address and assigned the non-multicast address pool to the remote access users. However we have to use a multicast address and the ASA is specifically having issues propagating the multicast from the inside interface to the outside interface and down the VPN tunnel.
I have read that you can’t do multicast over IPSEC (there is no mention of multicast over L2TP) but not on a Cisco site; however I can’t find any Cisco site that explains how to do it
Many thanks if you can help!
Config so far:
Multi casting to address 239.192.1.1 (and eventually the whole class C and more)
Currently this is propagated around the switches using this config on each interface that I want to forward multicast frames:
ip multicast-routing distributed
interface Vlan156
ip pim version 1 (2 not available!)
ip pim sparse-dense-mode
& on P2P links
On the ASA I have
multicast-routing
interface Vlan1
nameif inside
ip address xxxxx
security-level 100
ip address igmp forward interface outside
igmp join-group 239.192.1.0
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxx
igmp join-group 239.192.1.0
-- played around with the above a bit trying a number of combinations.
access-list inside_nat0_outbound extended permit ip 10.69.1.0 255.255.255.0 239.192.1.0 255.255.255.0
& other statements – the above encrypts the source of the multicast going to the multicast address
access-list VPN_splitTunnelAcl standard permit 10.69.1.0 255.255.255.0
use pfs on VPN so no need for cryptomap ACL
Has anybody done this before?
I was hoping that it would be as straightforward as configuring the ASA to encrypt the source going to the destination multicast address and turning on multicast.
Multicast is enabled on a few VLANs on the inside switches including the routing VLAN. If a device were in the routing VLAN it would receive the multicast. I have set the VPN pool of IPs to a subset of the range used for the routing VLAN in the hope that the switch would be deceived and think a remote access user is just on the LAN but out the interface connected to the ASA.
I think this would work if we multicasted to a non-multicast address and assigned the non-multicast address pool to the remote access users. However we have to use a multicast address and the ASA is specifically having issues propagating the multicast from the inside interface to the outside interface and down the VPN tunnel.
I have read that you can’t do multicast over IPSEC (there is no mention of multicast over L2TP) but not on a Cisco site; however I can’t find any Cisco site that explains how to do it
Many thanks if you can help!
Config so far:
Multi casting to address 239.192.1.1 (and eventually the whole class C and more)
Currently this is propagated around the switches using this config on each interface that I want to forward multicast frames:
ip multicast-routing distributed
interface Vlan156
ip pim version 1 (2 not available!)
ip pim sparse-dense-mode
& on P2P links
On the ASA I have
multicast-routing
interface Vlan1
nameif inside
ip address xxxxx
security-level 100
ip address igmp forward interface outside
igmp join-group 239.192.1.0
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxx
igmp join-group 239.192.1.0
-- played around with the above a bit trying a number of combinations.
access-list inside_nat0_outbound extended permit ip 10.69.1.0 255.255.255.0 239.192.1.0 255.255.255.0
& other statements – the above encrypts the source of the multicast going to the multicast address
access-list VPN_splitTunnelAcl standard permit 10.69.1.0 255.255.255.0
use pfs on VPN so no need for cryptomap ACL
ASKER
Are you 100% on that - there's no way to trick the switch infrastructure/ASA to make it work?
ASKER
I thought hairpinning on an ASA was not possible - allowing Remote Access users to connect to other sites connected to the ASA via site-to-site VPNS - but configuring this was easy...
do you able to encapsulate multicast packets to unicast?
ASKER
that's something I thought I could do - statically map the multicast address to the VPN Pool IP addresses, either on the switch or on the firewall - it's not ideal though as not very flexible if we want to start using another milticast address and multicast to multiple remote access VPN users
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
IPSEC not support multicast!
Best regards,
Istvan