Cisco ASA 5500-X Series Next-Generation Firewalls

PIX/ASA 7.x: Multicast on the PIX/ASA Platforms with Sender on Outside Configuration Example

Document ID: 71779

Updated: Sep 26, 2008



This document provides a sample configuration for multicast on the Cisco Adaptive Security Appliance (ASA) and/or PIX Security Appliance that runs version 7.x. In this example, the multicast sender is on the outside of the security appliance and hosts on the inside are attempting to receive the multicast traffic. The hosts send IGMP reports to report group membership, and the firewall uses Protocol Independent Multicast (PIM) sparse mode as the dynamic multicast routing protocol to the upstream router, behind which the source of the stream resides.

Note: FWSM/ASA does not support 232.x.x.x/8 subnet as a group number as it is reserved for ASA SSM. So FWSM/ASA does not allow this subnet to be used or traversed and mroute does not get created. But, you can still pass this multicast traffic through ASA/FWSM if you encapsulate it in GRE tunnel.



A Cisco PIX or ASA Security Appliance that runs software version 7.0, 7.1, or 7.2.

Components Used

The information in this document is based on a Cisco PIX or Cisco ASA Firewall that runs version 7.x.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

PIX/ASA 7.x introduces full PIM sparse mode and bi-directional support for dynamic multicast routing through the firewall. PIM dense mode is not supported. The 7.x software still supports legacy multicast 'stub-mode' in which the firewall is simply an IGMP proxy between interfaces as was supported in PIX version 6.x.

These statements hold true for multicast traffic through the firewall:

  • If an access-list is applied to the interface where the multicast traffic is received, then the access control list (ACL) must explicitly permit the traffic. If no access-list is applied to the interface, the explicit ACL entry that permits the multicast traffic is not necessary.

  • The multicast data packets are always subjected to the Reverse Path Forwarding check of the firewall, regardless of whether the reverse-path forward check command is configured on the interface. Therefore, if there is no route on the interface that the packet was received on to the source of the multicast packet, then the packet is dropped.

  • If there is no route on the interface back to the source of the multicast packets, use the mroute command to instruct the firewall not to drop the packets.


In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup.

The multicast traffic is sourced from and uses UDP packets on port 1234 destined to group



This document uses this configuration:

Cisco PIX or ASA Firewall that runs Version 7.x
maui-soho-01#show running-config 
 SA Version 7.1(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted

!--- The multicast-routing command enables IGMP and PIM
 !--- on all interfaces of the firewall. 

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
passwd 2KFQnbNIdI.2KYOU encrypted

!--- The rendezvous point address must be defined in the
!--- configuration in order for PIM to function correctly.

pim rp-address
boot system disk0:/asa712-k8.bin
ftp mode passive

!--- It is necessary to permit the multicast traffic with an
!--- access-list entry.

access-list outside_access_inbound extended permit ip any host
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover

!--- The access-list that permits the multicast traffic is applied
!--- inbound on the outside interface.

access-group outside_access_inbound in interface outside

!--- This mroute entry specifies that the multicast sender 
!--- is off the outside interface. In this example
!--- the mroute entry is necessary since the firewall has no route to
!--- the host on the outside interface. Otherwise, this
!--- entry is not necessary.

mroute outside
icmp permit any outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global


Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

  • show mroute—Displays the IPv4 multicast routing table.

    ciscoasa#show mroute 
    Multicast Routing Table
    Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group,
           C - Connected, L - Local, I - Received Source Specific Host Report,
           P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,
           J - Join SPT
    Timers: Uptime/Expires
    Interface state: Interface, State
    !--- Here you see the mroute entry for the shared tree. Notice that the 
    !--- incoming interface specifies outside and that the outgoing interface
    !--- list specifies inside.
    (*,, 00:00:12/never, RP, flags: SCJ
      Incoming interface: outside
      RPF nbr:
      Outgoing interface list:
        inside, Forward, 00:00:12/never
    !--- Here is the source specific tree for the mroute entry. 
    (,, 00:00:12/00:03:17, flags: SJ
      Incoming interface: outside
      RPF nbr:
      Immediate Outgoing interface list: Null
  • show conn—Displays the connection state for the designated connection type.

    !--- A connection is built through the firewall for the multicast stream.
    !--- In this case the stream is sourced from the sender IP and destined
    !--- to the multicast group. 
    ciscoasa#show conn
    10 in use, 12 most used
    UDP out in idle 0:00:00 flags -
  • show pim neighbor—Displays entries in the PIM neighbor table.

    !--- When you use PIM, the neighbor devices should be seen with the 
    !--- show pim neighbor command. 
    ciscoasa#show pim neighbor
    Neighbor Address  Interface          Uptime    Expires DR pri Bidir        outside            04:06:37  00:01:27 1 (DR)


This section provides information you can use to troubleshoot your configuration.

Troubleshooting Procedure

Follow these instructions in order to troubleshoot your configuration.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you use debug commands.

  1. If the multicast receivers are directly connected to the inside of the firewall, they send IGMP reports to receive the multicast stream. Use the show igmp traffic command in order to verify that you receive IGMP reports from the inside.

    ciscoasa#show igmp traffic
    IGMP Traffic Counters
    Elapsed time since counters cleared: 04:11:08
                                  Received     Sent
    Valid IGMP Packets            413          244
    Queries                       128          244
    Reports                       159          0
    Leaves                        0            0
    Mtrace packets                0            0
    DVMRP packets                 0            0
    PIM packets                   126          0
    Malformed Packets             0
    Martian source                0
    Bad Checksums                 0
  2. The firewall can display more detailed information about the IGMP data by using the debug igmp command.

    In this case, the debugs are enabled and the host sends an IGMP report for the group

    !--- Enable IGMP debugging.
    ciscoasa#debug igmp
    IGMP debugging is on
    ciscoasa# IGMP: Received v2 Report on inside from for
    IGMP: group_db: add new group on inside
    IGMP: MRIB updated (*, : Success
    IGMP: Switching to EXCLUDE mode for on inside
    IGMP: Updating EXCLUDE group timer for
    !--- Disable IGMP debugging
    ciscoasa#un all
  3. Verify that the firewall has valid PIM neighbors and that the firewall sends and receives join/prune information.

    ciscoasa#show pim neigh
    Neighbor Address  Interface          Uptime    Expires DR pri Bidir        outside            04:26:58  00:01:20 1 (DR)
    ciscoasa#show pim traffic
    PIM Traffic Counters
    Elapsed time since counters cleared: 04:27:11
                                  Received     Sent
    Valid PIM Packets             543          1144
    Hello                         543          1079
    Join-Prune                    0            65
    Register                      0            0
    Register Stop                 0            0
    Assert                        0            0
    Bidir DF Election             0            0
    Malformed Packets                           0
    Bad Checksums                               0
    Send Errors                                 0
    Packet Sent on Loopback Errors              0
    Packets Received on PIM-disabled Interface  0
    Packets Received with Unknown PIM Version   0
    Packets Received with Incorrect Addressing  0
  4. Use the capture command in order to verify that the outside interface receives the multicast packets for the group.

    ciscoasa#configure terminal
    !--- Create an access-list that is only used 
    !--- to flag the packets to capture.
    ciscoasa(config)#access-list captureacl permit ip any host
    !--- Define the capture named capout, bind it to the outside interface, and
    !--- specify to only capture packets that match the access-list captureacl.
    ciscoasa(config)#capture capout interface outside access-list captureacl
    !--- Repeat for the inside interface.
    ciscoasa(config)#capture capin interface inside access-list captureacl
    !--- View the contents of the capture on the outside. This verifies that the
    !--- packets are seen on the outside interface
    ciscoasa(config)#show capture capout
    138 packets captured
       1: 02:38:07.639798 >  udp 1316
       2: 02:38:07.696024 >  udp 1316
       3: 02:38:07.752295 >  udp 1316
       4: 02:38:07.808582 >  udp 1316
       5: 02:38:07.864823 >  udp 1316
       6: 02:38:07.921110 >  udp 1316
       7: 02:38:07.977366 >  udp 1316
       8: 02:38:08.033689 >  udp 1316
       9: 02:38:08.089961 >  udp 1316
      10: 02:38:08.146247 >  udp 1316
      11: 02:38:08.202504 >  udp 1316
      12: 02:38:08.258760 >  udp 1316
      13: 02:38:08.315047 >  udp 1316
      14: 02:38:08.371303 >  udp 1316
      15: 02:38:08.427574 >  udp 1316
      16: 02:38:08.483846 >  udp 1316
      17: 02:38:08.540117 >  udp 1316
      18: 02:38:08.596374 >  udp 1316
      19: 02:38:08.652691 >  udp 1316
      20: 02:38:08.708932 >  udp 1316
      21: 02:38:08.765188 >  udp 1316
      22: 02:38:08.821460 >  udp 1316
      23: 02:38:08.877746 >  udp 1316
      24: 02:38:08.934018 >  udp 1316
    !--- Here you see the packets forwarded out the inside 
    !--- interface towards the clients.
    ciscoasa(config)#show capture capin
    89 packets captured
       1: 02:38:12.873123 >  udp 1316
       2: 02:38:12.929380 >  udp 1316
       3: 02:38:12.985621 >  udp 1316
       4: 02:38:13.041898 >  udp 1316
       5: 02:38:13.098169 >  udp 1316
       6: 02:38:13.154471 >  udp 1316
       7: 02:38:13.210743 >  udp 1316
       8: 02:38:13.266999 >  udp 1316
       9: 02:38:13.323255 >  udp 1316
      10: 02:38:13.379542 >  udp 1316
      11: 02:38:13.435768 >  udp 1316
      12: 02:38:13.492070 >  udp 1316
      13: 02:38:13.548342 >  udp 1316
      14: 02:38:13.604598 >  udp 1316
      15: 02:38:13.660900 >  udp 1316
      16: 02:38:13.717141 >  udp 1316
      17: 02:38:13.773489 >  udp 1316
      18: 02:38:13.829699 >  udp 1316
      19: 02:38:13.885986 >  udp 1316
      20: 02:38:13.942227 >  udp 1316
      21: 02:38:13.998483 >  udp 1316
      22: 02:38:14.054852 >  udp 1316
      23: 02:38:14.111108 >  udp 1316
      24: 02:38:14.167365 >  udp 1316
    !--- Remove the capture from the memory of the firewall.
    ciscoasa(config)#no capture capout

Known Bugs

Cisco bug ID CSCse81633 (registered customers only) —ASA 4GE-SSM Gig ports silently drop IGMP joins.

  • Symptom—When a 4GE-SSM module is installed into an ASA and multicast-routing is configured along with IGMP on the interfaces, IGMP joins are dropped on the interfaces of the 4GE-SSM module.

  • Conditions—IGMP joins are not dropped on the onboard Gig interfaces of the ASA.

  • Workaround—For multicast routing, use the onboard Gig interface ports.

  • Fixed in versions—7.0(6), 7.1(2)18, 7.2(1)11

Related Information

Updated: Sep 26, 2008
Document ID: 71779