How to configure ACLs for multicast across ASA5516

Hi,
I’m troubleshooting a multicast-related issue across an ASA 5516, and finding it hard to understand how the ACL to permit multicast traffic across its interfaces works. The logical topology below shows my setup.

The monitoring server in far left needs to view multicast video stream from cameras (Cam 2 & Cam 4) in far right. The L3 switches route between vlans (different subnets) and the monitoring server is able to receive unicast streams (via the ASA) from the cameras.

The ASA interfaces shown are at the same security level (100). Multicast routing is configured and PIM sparse mode RP is configured as one of the L3 switches. Interface configs:

!
interface GigabitEthernet1/2
 description Inside Interface
 nameif inside
 security-level 100
 ip address 10.23.140.5 255.255.255.0 
 igmp join-group 224.16.17.15
 igmp join-group 224.16.17.8
 ospf message-digest-key 1 md5 *****
 ospf authentication message-digest
!
interface GigabitEthernet1/3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3.200
 description Cnxn to Monitoring Network
 vlan 200
 nameif GENETECFED
 security-level 100
 ip address 192.168.200.17 255.255.255.0 
 ipv6 address fd87:777d:126a:ce5b::200:17/64
 ipv6 enable
 igmp join-group 224.16.17.8
 igmp join-group 224.16.17.15
!
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
pim rp-address 10.23.201.1 EVL-GENETEC-MCAST-GRPS

When I test using packet tracer, with source as multicast group IP and destination as monitoring server, the output shows the packet is dropped due to a configured ACL. There is an ACL on the ASA interface (10.23.140.5) and I have added entries to permit the multicast traffic but I don’t seem to be getting it right. The ACL is shown below

 access-list inside_access_in extended permit tcp object-group Systems_Networks any object-group EXTERNAL_WEB_ACCESS 
access-list inside_access_in extended permit udp object-group DNS_SERVERS_LOCAL object-group DNS_SERVERS_EXTERNAL eq domain 
access-list inside_access_in extended permit udp object-group Systems_Networks object-group DNS_SERVERS_EXTERNAL eq domain 
access-list inside_access_in extended permit udp object-group VOIP-GW-CUBE object-group SIP_REGISTRARS_EXTERNAL eq sip 
access-list inside_access_in extended permit tcp object-group VOIP-GW-CUBE object-group SIP_REGISTRARS_EXTERNAL eq sip 
access-list inside_access_in extended permit icmp any any echo-reply 
access-list inside_access_in extended permit icmp any any echo 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit igmp any any 
access-list inside_access_in extended permit pim any any 
access-list inside_access_in extended permit tcp object-group CCTV-SUBNETS object EXT_GENETEC_SRV_HOST192 
access-list inside_access_in extended permit udp object-group CCTV-SUBNETS object EXT_GENETEC_SRV_HOST192 
access-list inside_access_in extended permit ip object-group EVL-CCTV-MCAST-GRPS any 
access-list inside_access_in extended permit ip any object-group EVL-CCTV-MCAST-GRPS 
!
access-group inside_access_in in interface inside
!
object network EXT_GENETEC_SRV_HOST192
 host 192.168.50.42
 description Genetec SC Server
object network EXT_GENETEC_SRV_SUBNET192
 subnet 192.168.50.0 255.255.255.0
object network EXT_GENETEC_SRV_SUBNET172
 subnet 172.16.50.0 255.255.255.0
object-group network CCTV-SUBNETS
 network-object 10.23.40.0 255.255.255.0
 network-object 10.23.41.0 255.255.255.0
object-group network EVL-CCTV-MCAST-GRPS
 network-object 224.0.0.0 240.0.0.0
object-group network ETS-MCAST-RECIPIENTS
 network-object object EXT_GENETEC_SRV_SUBNET192
 network-object object EXT_GENETEC_SRV_SUBNET172

!
Any advice on tackling this would be appreciated.

Thanks

Hi Toritsejo,

I wasn’t sure how the ASA would work with multicast and two interfaces on the same security-level so I just labbed this up. Here’s the VIRL file (rename the TXT extension to virl):

asa_multicast_virl.txt (8.5 KB)

Here are the configs:

hostname ASA1
!
multicast-routing
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.100.254 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 100
 ip address 192.168.200.254 255.255.255.0 
!
pim rp-address 192.168.100.1 
!
same-security-traffic permit inter-interface
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ip-options 
  inspect netbios 
  inspect rtsp 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect sip  
  inspect skinny  
  inspect icmp 
!             
service-policy global_policy global

hostname H1
!
no ip routing
!
no ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.1.101 255.255.255.0
 ip igmp join-group 239.2.2.2
!
ip default-gateway 192.168.1.254
!
end

hostname R1
!
ip multicast-routing 
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.1.254 255.255.255.0
 ip pim sparse-mode
!
interface GigabitEthernet0/2
 ip address 192.168.100.1 255.255.255.0
 ip pim sparse-mode
!
ip http server
ip pim rp-address 192.168.100.1
ip route 0.0.0.0 0.0.0.0 192.168.100.254
!
end

hostname R2
!
ip multicast-routing 
ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.2.254 255.255.255.0
 ip pim sparse-mode
!
interface GigabitEthernet0/2
 ip address 192.168.200.2 255.255.255.0
 ip pim sparse-mode
!
ip http server
ip pim rp-address 192.168.100.1
ip route 0.0.0.0 0.0.0.0 192.168.200.254
!
end

hostname H2
!
no ip routing
!
ip multicast-routing 
no ip cef
!
interface GigabitEthernet0/1
 ip address 192.168.2.102 255.255.255.0
 ip igmp join-group 239.1.1.1
!
ip default-gateway 192.168.2.254
!
end

I can get multicast traffic in both directions without issues between H1 and H2. I’m not sure if packet-tracer works well for multicast traffic. When I try it, I’m also getting a deny message. Is your ASA really dropping it? Nothing in the mroute table?

ASA1# show mroute 239.1.1.1

Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, 
       C - Connected, L - Local, I - Received Source Specific Host Report,
       P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
       J - Join SPT 
Timers: Uptime/Expires
Interface state: Interface, State

(*, 239.1.1.1), 01:02:05/00:03:25, RP 192.168.100.1, flags: S
  Incoming interface: INSIDE
  RPF nbr: 192.168.100.1
  Immediate Outgoing interface list:
    OUTSIDE, Forward, 01:02:05/00:03:25

(192.168.1.101, 239.1.1.1), 00:01:57/00:03:10, flags: ST
  Incoming interface: INSIDE
  RPF nbr: 192.168.100.1
  Immediate Outgoing interface list:
    OUTSIDE, Forward, 00:01:57/00:02:31

Rene

Hi Rene,

Can we have some Lessons on Other Networking Vendors Devices ,

Meaning , can we have some lessons on Juniper and Palo Alto pls ???

Hello Cisco-admin

For the time being, the NetworkLessons site is devoted to preparing networking professionals for CCNA, CCNP and related Cisco certifications. For the foreseeable future at least, no additional vendors will be added. However, if you would like your request to be recorded, go to the following link and post your lesson idea. If enough people want the same thing, maybe it may be done in the future!

Laz