Thanks a lot for all your answers, but I think the problem is in IGMP really. I turned off the anti-spoofing in all interfaces, and firewall drops IGMP by rule 0. The pim traffic ( protocol 103 ) pass fw-1 by the multicast rule ( the rule that you said in the last mail ) and both packets have the same destination addresses ( in the range of 224.0.0.x ). I tried to define a group object with the multicast network and real network, and no worked. I need more ideas , please. TIA
"David C. Diemer" wrote: To help you get past the problem immediately, try turning off anti-spoofing onall the interfaces on your firewall. That way, the day will then proceed throughthe ruleset. You'll then see if you have defined rules to allow the multicast toproceed. 1. Make sure you have a rule that allows multicast. Note that the DESTINATION will be the multicast network and the service will be the actual protocol you are using. I would think that due to the frequency of the updates and routing, you'd probably want this near the top of your rulebase.2. Create a network object for the multicast network.3. When you enable anti-spoofing for the network card that actually performs the multi-cast or is part of the multicast network, then you can add the network under the option Specific. You may need to define a group object which includes the multicast network as well as the "real" network the NIC supports.4. Save, push, test, and good luck. David C. Diemer, CCSE |