|
组播流量经过防火墙应该注意的问题
近期做一个关于视频点播的项目,拓扑简单画下:server---msfc---fwsm(outside)--------6509-----fwsm(inside)------msfc-------pc
客户端在inside区域,服务端在outside区域,65上作了组播协议,fwsm作组播代理,但是奇怪的是无论怎么样流量都无法穿越防火墙到达pc,刚开始以为是65下联的华为85的问题,后来经过排除法检测发现问题出在fwsm上,翻阅文档的时候发现思科提到组播流量经过防火墙应该注意的问题:
An FWSM acting as the gateway to the stub area does not need to participate in PIM. Instead, you can
configure it to act as an IGMP proxy agent and forward IGMP messages from hosts connected on one
interface to an upstream multicast router on another. To configure the FWSM as an IGMP proxy agent,
forward the host join and leave messages from the stub area interface to an upstream interface.
To forward the host join and leave messages, enter the following command from the interface attached
to the stub area:
hostname(config-if)# igmp forward interface if_name
当fwsm没有开启pim协议并充当组播末节区域的网关的时候,必须配置igmp代理以转发主机与fwsm上联路由器的igmp消息。
后来按照文档配置了之后,问题解决。
具体配置如下:
FWSM Version 3.2(5)
!
hostname FWSM
domain-name default.domain.invalid
enable password JS9..13934NtbwhS encrypted
multicast-routing
names
!
interface Vlan5
description outside to MSFC
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan10
description downlink HuaWei-S8512
nameif inside10
security-level 100
ip address 192.168.10.250 255.255.255.248
igmp forward interface outside
igmp join-group 225.1.1.11
igmp join-group 225.1.1.12
igmp join-group 225.1.1.13
igmp join-group 225.1.1.14
igmp join-group 225.1.1.15
igmp join-group 225.1.1.16
igmp join-group 225.1.1.17
igmp join-group 225.1.1.18
!
passwd xe.QlSKNchN8Jrum encrypted
banner login Welcome to the Catalyst 6509-3BXL-FWSM!
banner login @@@Unauthorized access prohibited!!!@@@
banner login the Network Center of CUEB
ftp mode passive
access-list in extended permit ip any any
access-list test1 extended permit ip host 192.168.10.254 any
pager lines 24
mtu outside 1500
mtu inside10 1500
no failover
failover lan unit secondary
icmp permit any outside
icmp permit any inside10
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-y.y.y.y netmask 255.255.255.0
global (outside) 1 x.x.x.x-y.y.y.y netmask 255.255.255.0
nat (inside10) 1 10.10.0.0 255.255.0.0 tcp 50 50 udp 50
static (inside10,outside) x.x.x.x 10.10.4.242 netmask 255.255.255.255 tcp 100 0
static (inside10,outside) x.x.x.x. 10.10.4.241 netmask 255.255.255.255 tcp 100 0
static (inside10,outside) x.x.x.x 10.10.5.124 netmask 255.255.255.255
static (inside10,outside) x.x.x.x 10.10.5.123 netmask 255.255.255.255
static (inside10,outside) x.x.x.x access-list test1
access-group in in interface outside
access-group in in interface inside10
route outside 0.0.0.0 0.0.0.0 59.65.63.254 1
route inside10 10.10.0.0 255.255.0.0 192.168.10.249 1
route inside10 20.1.1.0 255.255.255.0 192.168.10.251 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 202.204.145.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
virtual telnet 59.65.63.250
telnet 10.5.1.13 255.255.255.255 outside
telnet x.x.x.x 255.255.255.128 outside
telnet 192.168.10.254 255.255.255.255 inside10
telnet timeout 5
ssh 202.204.145.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
class class_sip_tcp
inspect sip
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1f1bbaacc7a8c4da4853cc4a9ee112ac
: end |
|