прошу помощи, потому как сам не могу понять где ошибка.
я просмотрел существующие посты - моя ситуация отличается использованием мультикаст с dmz интерфейса асы с base license.
провайдер вещает мультикаст тв. я получаю его через адсл мост.
lan----asa-(out)----bridge_adsl----pvc_1+pvc_2(tv)
+-(dmz)--------+локалка подключена к асе (в локалке принимающий хост)
аса подключена у мосту интерфейсом OUT на котором получаю интернет, а другим интерфейсом DMZ аса подключена в к другому порту моста. на мосте есть две пвс - одна интернет другая тв. смапировал их в порты соответственно.
инет работает
проблема:
тв работает только около 1,5 минуты.
понимаю что засада с igmp но не пойму где что не так, потому как репорты приходят от хоста на инсайд- видно, должно форвардится как есть через дмз.
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is 001d.45ed.7014, irq 11
1: Ext: Ethernet0/0 : address is 001d.45ed.700c, irq 255
2: Ext: Ethernet0/1 : address is 001d.45ed.700d, irq 255
3: Ext: Ethernet0/2 : address is 001d.45ed.700e, irq 255
4: Ext: Ethernet0/3 : address is 001d.45ed.700f, irq 255
5: Ext: Ethernet0/4 : address is 001d.45ed.7010, irq 255
6: Ext: Ethernet0/5 : address is 001d.45ed.7011, irq 255
7: Ext: Ethernet0/6 : address is 001d.45ed.7012, irq 255
8: Ext: Ethernet0/7 : address is 001d.45ed.7013, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
ASA Version 8.4(1)
!
hostname Frigate
domain-name ship.hm
enable password iWqg9uTDs.mRfZdK encrypted
passwd AKXjndqEWMFE.2eA encrypted
multicast-routing
names
name 192.x.x.0 myLAN
name 192.168.0.0 Moscw_LANnet
!
interface Vlan1
description ========== inside ==========
nameif INS
security-level 100
ip address 192.x.x.1 255.255.255.240
igmp forward interface DMZ
igmp access-group mcast
summary-address eigrp 1 0.0.0.0 0.0.0.0 5 !- там за инсайдом есть еще роутер но он не имеет отношения к проблеме
!
interface Vlan2
description ========= outside ========
nameif OUT
security-level 0
ip address pppoe setroute
no mfib forwarding
!
interface Vlan3
description test-iptv
no forward interface Vlan2
nameif DMZ
security-level 50
ip address dhcp
igmp access-group mcast
!
interface Ethernet0/0
description ========== inside ==========
!
interface Ethernet0/1
description ========= outside ========
switchport access vlan 2
!
interface Ethernet0/2
description ===== inside--ata186 ======
!
interface Ethernet0/3
description to-dyndns-client
!
interface Ethernet0/4
description test-iptv
switchport access vlan 3
!
interface Ethernet0/5
description ========== inside ==========
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
regex badurl1 "xxx"
regex badurl2 "xxxf"
regex badurl3 "xxxx"
regex badurl4 "x"
regex badurl5 "xxxxxxx"
regex badurl6 "xx"
regex badurl7 "xxxxxxxxx"
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup INS
dns domain-lookup OUT
dns server-group DefaultDNS
name-server 81.20.x.254
name-server 81.20.xx.254
object network obj-192.x.x.8
host 192.x.x.8
object network obj-192.x.x.9
host 192.x.x.9
object network myLAN
subnet 192.x.x.0 255.255.255.240
object network obj_any-in-dmz
subnet 192.x.x.0 255.255.255.0
object-group icmp-type INB
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network my_NETs
network-object myLAN 255.255.255.0
object-group network CONET
network-object Moscw_LANnet 255.255.0.0
network-object 172.0.0.0 255.0.0.0
network-object 10.0.0.0 255.0.0.0
network-object 100.100.100.0 255.255.255.0
object-group network HTTP_NORMALIZE
network-object 192.x.x.16 255.255.255.252
network-object 192.x.x.24 255.255.255.248
object-group service LAN-UDP udp
port-object eq netbios-dgm
port-object eq netbios-ns
port-object eq rip
port-object eq nfs
port-object eq sunrpc
object-group service LAN-TCP tcp
port-object eq finger
port-object eq gopher
port-object eq lpd
port-object eq nfs
port-object eq rsh
port-object eq netbios-ssn
access-list mcast standard permit any
access-list DMZ extended permit udp any any
access-list DMZ extended permit igmp any any
access-list DMZ extended permit ip any any
access-list split_tunn_webvpn standard permit 192.168.0.0 255.255.0.0
access-list split_tunn_webvpn standard permit 100.0.0.0 255.0.0.0
access-list split_tunn_webvpn standard permit 10.0.0.0 255.0.0.0
access-list split_tunn_webvpn standard permit 172.0.0.0 255.0.0.0
access-list split_tunn_ipsec_ra standard permit 172.0.0.0 255.0.0.0
access-list split_tunn_ipsec_ra standard permit 10.0.0.0 255.0.0.0
access-list split_tunn_ipsec_ra standard permit 100.0.0.0 255.0.0.0
access-list split_tunn_ipsec_ra standard permit 192.168.0.0 255.255.0.0
access-list my_VPN extended permit ip object-group my_NETs object-group CONET
access-list INSIDE-TRAFF extended permit udp object myLAN 224.0.0.0 240.0.0.0
access-list INSIDE-TRAFF extended permit igmp any any
access-list INSIDE-TRAFF extended deny udp object-group my_NETs any object-group LAN-UDP
access-list INSIDE-TRAFF extended deny tcp object-group my_NETs any object-group LAN-TCP
access-list INSIDE-TRAFF extended permit ip object-group my_NETs any
access-list userregex extended permit tcp object myLAN any eq www
access-list http-list extended permit tcp 192.x.x.16 255.255.255.252 host 192.x.x.8
access-list http-list extended permit tcp 192.x.x.16 255.255.255.252 100.0.0.0 255.0.0.0
access-list http-list extended permit tcp 192.x.x.16 255.255.255.252 10.0.0.0 255.0.0.0
access-list http-list extended permit tcp 192.x.x.16 255.255.255.252 172.0.0.0 255.0.0.0
access-list http-list extended permit tcp object-group HTTP_NORMALIZE host 192.x.x.9
access-list http-list extended permit tcp object-group HTTP_NORMALIZE host 192.x.x.10
access-list http-list extended permit tcp object-group HTTP_NORMALIZE host 192.x.x.8
access-list CONN-Time extended permit tcp any object-group my_NETs eq ssh
access-list CONN-Time extended permit tcp any object-group my_NETs eq telnet
access-list tst extended permit pim any any
access-list tst extended permit igmp any any
access-list tst extended permit ip any any
access-list tst extended permit udp any any
access-list 151 standard deny any
access-list INBOUND extended permit icmp any any object-group INB
access-list INBOUND extended permit tcp any any eq ssh
access-list INBOUND extended permit icmp any any log disable
access-list INBOUND extended permit ip host x.x.x.x object myLAN
!
tcp-map mss-map
!
pager lines 24
logging enable
logging buffer-size 24096
logging console informational
logging monitor debugging
logging buffered informational
logging asdm informational
logging rate-limit 3 1 level 0
logging rate-limit 2 1 level 1
logging rate-limit 2 1 level 2
logging rate-limit 3 1 level 3
logging rate-limit 3 1 level 4
logging rate-limit 2 1 level 5
logging rate-limit unlimited level 6
mtu INS 1500
mtu OUT 1492
mtu DMZ 1500
ip local pool anyconn-ra 192.x.x.17 mask 255.255.255.255
ip audit name my_FW info action alarm
ip audit interface OUT my_FW
ip audit signature 1002 disable
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2002 disable
ip audit signature 2003 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 2006 disable
ip audit signature 2007 disable
ip audit signature 2008 disable
ip audit signature 2009 disable
ip audit signature 2010 disable
ip audit signature 6050 disable
ip audit signature 6051 disable
ip audit signature 6052 disable
ip audit signature 6053 disable
mroute 21x.14x.24x.0 255.255.255.0 DMZ dense INS
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INS
icmp permit any OUT
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (INS,OUT) source static obj-192.x.x.9 obj-192.x.x.9
nat (INS,OUT) source static obj-192.x.x.8 obj-192.x.x.8
nat (INS,OUT) source static my_NETs my_NETs destination static CONET CONET
!
object network myLAN
nat (INS,OUT) dynamic interface
object network obj_any-in-dmz
nat (INS,DMZ) dynamic interface
access-group INSIDE-TRAFF in interface INS
access-group INBOUND in interface OUT
access-group DMZ in interface DMZ
!
router eigrp 1
no auto-summary
network myLAN 255.255.255.0
passive-interface default
no passive-interface INS
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 6
http server enable
http myLAN 255.255.255.240 INS
http 0.0.0.0 0.0.0.0 OUT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp INS
sysopt noproxyarp OUT
sysopt noproxyarp DMZ
sla monitor 1
type echo protocol ipIcmpEcho 192.168.0.x interface INS
timeout 2000
threshold 2000
frequency 20
sla monitor schedule 1 life forever start-time now
service resetinbound interface OUT
no service resetoutbound interface OUT
no service resetoutbound interface DMZ
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df OUT
crypto map forsazh 10 match address my_VPN
crypto map forsazh 10 set peer x.x.x.x
crypto map forsazh 10 set ikev1 transform-set ESP-3DES-SHA
crypto map forsazh 10 set reverse-route
crypto map forsazh interface OUT
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn Frigate
subject-name CN=Frigate
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201c8 30820131 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
2a311030 0e060355 04031307 46726967 61746531 16301406 092a8648 86f70d01
09021607 46726967 61746530 1e170d31 31303332 33303535 3135395a 170d3231
30333230 30353531 35395a30 2a311030 0e060355 04031307 46726967 61746531
16301406 092a8648 86f70d01 09021607 46726967 61746530 819f300d 06092a86
4886f70d 01010105 0003818d 00308189 02818100 a6af0dee 00373ef5 583c4b2a
5f560d77 8ae35681 e534d490 c128ae9c 5627e47c f6ac6b63 82fec265 fddf5fb7
882f2cfd 95ea43e6 f52dd8a7 b7c1f2d2 ddcf715b 245d82f6 1776f621 1a8a95bb
c7753f22 0306d2ef 95d0071f a5dd7f32 69384dff 260d2cd9 250f2546 0dddcbf1
7dfdcd75 e9dedd76 2a9b9afc a376c28c 372d48ed 02030100 01300d06 092a8648
86f70d01 01040500 03818100 9992a267 d7924d4c 40c39351 9c8f2e2a c56119ec
9df3531c 27744f03 023753ea fe97b84e ffc3827f d2ce8232 518f7bfd 65995e86
bead3063 cb8a8f27 123d31e4 6ef5e5d7 20033269 21b4d14f 00f45a75 1b624ec2
d5c0a85e 55470ea6 a2ffbe92 c147398b e33e5b6c 64c2c306 c14ddaa4 877d5bba
9fa2b10b 0b9b0d8c a9272c1c
quit
crypto isakmp identity address
crypto ikev1 enable OUT
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet myLAN 255.255.255.240 INS
telnet timeout 2
ssh 0.0.0.0 0.0.0.0 INS
ssh 0.0.0.0 0.0.0.0 OUT
ssh timeout 15
console timeout 0
management-access INS
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname xxxxx
vpdn group pppoex ppp authentication pap
vpdn username xxxxx password *****
no vpn-addr-assign aaa
dhcp-client update dns server both
dhcpd address 192.x.x.2-192.x.x.7 INS
dhcpd dns xxxxxx xxxxxx interface INS
dhcpd lease 25200 interface INS
dhcpd domain x.home interface INS
dhcpd enable INS
!
priority-queue OUT
tx-ring-limit 256
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxxx source OUT
webvpn
enable OUT
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
wins-server none
dns-server value xxxxx xxxxx
vpn-idle-timeout 30
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunn_webvpn
default-domain value ship.hm
address-pools value anyconn-ra
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default webvpn timeout 10
group-policy ipsec-l2l-policy internal
group-policy ipsec-l2l-policy attributes
vpn-filter none
vpn-tunnel-protocol ikev1
username sslsmike password OLaNpzjkPle.WGZ6 encrypted
username sslsmike attributes
vpn-group-policy GroupPolicy_SSL
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
password-storage disable
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time none
anyconnect ssl rekey method ssl
anyconnect ask none default anyconnect
username dmitry password BBgDVRNsQ1Rv2wf0 encrypted privilege 15
username smike password U2eq2G/9LJn3YvtN encrypted
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group sslTunnelGroup type remote-access
tunnel-group sslTunnelGroup general-attributes
default-group-policy GroupPolicy_SSL
tunnel-group sslTunnelGroup webvpn-attributes
group-alias ssl_group_users enable
tunnel-group sslTunnelGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
class-map http-map
match access-list http-list
class-map Voice
match precedence 5
class-map CONN-timeout
match access-list CONN-Time
class-map blockusersurl
match access-list userregex
class-map type inspect http match-any blockURL
match request header host regex badurl3
match request header host regex badurl4
match request header host regex badurl5
match request header host regex badurl7
match request header host regex badurl2
class-map block-users-class
match access-list userregex
class-map inspection_default
match default-inspection-traffic
class-map Data_my
match flow ip destination-address
match tunnel-group x.x.x.x
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map TIMEOUTS
class CONN-timeout
set connection timeout idle 0:05:00 reset
policy-map type inspect http blockURL-policy
parameters
class blockURL
drop-connection log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sip
inspect http blockURL-policy
inspect ip-options
class http-map
set connection advanced-options mss-map
policy-map Voicepolicy
class Voice
priority
class Data_my
police output 600000 37500
class class-default
police output 600000 37500
!
service-policy global_policy global
service-policy TIMEOUTS interface INS
service-policy Voicepolicy interface OUT
INS is up, line protocol is up
Internet address is 192.x.x.1/28
IGMP is enabled on interface
Current IGMP version is 2
IGMP query interval is 125 seconds
IGMP querier timeout is 255 seconds
IGMP max query response time is 10 seconds
Last member query response interval is 1 seconds
Inbound IGMP access group is: mcast
IGMP limit is 500, currently active joins: 1
Cumulative IGMP activity: 12 joins, 11 leaves
IGMP forwarding on interface DMZ
IGMP querying router is 192.x.x.1 (this system)
OUT is up, line protocol is up
Internet address is 109.x.x.x/32
IGMP is enabled on interface
Current IGMP version is 2
IGMP query interval is 125 seconds
IGMP querier timeout is 255 seconds
IGMP max query response time is 10 seconds
Last member query response interval is 1 seconds
Inbound IGMP access group is:
IGMP limit is 500, currently active joins: 0
Cumulative IGMP activity: 0 joins, 0 leaves
IGMP querying router is 212.x.x.113 (this system)
DMZ is up, line protocol is up
Internet address is 10.160.x.x/22
IGMP is disabled on interface
почему на дмз дизаблет ижмп ?
если я включу комп в бридж- то работает тв
добавил igmp static-group 233.3.2.1 на DMZ
sh igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
хост включил тв
sh igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
233.3.2.1 INS 00:01:39 00:03:27 192.168.192.6
лива нет и группа зарегистрирована но картинка встает и потом снова идет с интервалом минута полторы.
что тут не так подскажите плз.