ASA 5505 9.2(4)2 и IPTV

Добрый день! Помогите разобраться с настройками. Имеется: 1. Провайдер интернета, который помимо интернета раздаёт IPTV. 2. Cisco ASA 5505 Version 9.2(4)2 - Vlan 1 (inside) порты eth 0/1 и eth 0/2 - Vlan 100 (outside) порт eth 0/0 Потоки идут с 10.126.248.0/24 на 224.1.1.0/24 конфиг: xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain multicast-routing names dns-guard ! interface Ethernet0/0 switchport access vlan 100 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 shutdown ! interface Ethernet0/4 shutdown ! interface Ethernet0/5 shutdown ! interface Ethernet0/6 shutdown ! interface Ethernet0/7 shutdown ! interface Vlan1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 igmp forward interface outside igmp query-timeout 120 igmp query-interval 60 igmp access-group inside_multicast ! interface Vlan100 nameif outside security-level 0 pppoe client vpdn group * ip address pppoe setroute igmp join-group 224.1.1.1 igmp query-timeout 120 igmp query-interval 60 igmp access-group outside_multicast ! boot system disk0:/asa924-2-k8.bin ftp mode passive clock timezone MSK/MSD 3 dns domain-lookup outside dns server-group DefaultDNS name-server X.X.X.100 name-server X.X.X.200 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_192.168.10.0 subnet 192.168.10.0 255.255.255.0 object network obj_224.1.1.0 subnet 224.1.1.0 255.255.255.0 object network obj_10.126.248.0 subnet 10.126.248.0 255.255.255.0 access-list inside_multicast standard permit 224.1.1.0 255.255.255.0 access-list outside_multicast standard permit 224.1.1.0 255.255.255.0 access-list acl_in extended permit udp any object obj_10.126.248.0 log debugging access-list acl_in extended permit udp any object obj_224.1.1.0 log debugging access-list acl_out extended permit icmp object obj_192.168.10.0 any access-list acl_out extended permit ip object obj_192.168.10.0 any pager lines 24 logging enable logging timestamp logging emblem logging buffered debugging logging trap debugging logging asdm debugging mtu inside 1500 mtu outside 1492 ip verify reverse-path interface outside no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-752.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_192.168.10.0 nat (inside,outside) dynamic interface access-group acl_out in interface inside access-group acl_in in interface outside timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication serial console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 192.168.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self subject-name CN=192.168.10.1,CN=ciscoasa crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=192.168.10.1 crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 certificate xxxxxxxx quit telnet timeout 5 no ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 vpdn group xxxxx request dialout pppoe vpdn group xxxxx localname * vpdn group xxxxx ppp authentication mschap vpdn username * password * store-local dhcpd dns X.X.X.100 X.X.X.200 ! dhcpd address 192.168.10.4-192.168.10.33 inside dhcpd enable inside ! threat-detection basic-threat threat-detection scanning-threat threat-detection statistics host threat-detection statistics port number-of-rate 2 threat-detection statistics protocol number-of-rate 2 threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 ntp server 194.190.168.1 source outside ssl trust-point ASDM_TrustPoint0 inside webvpn anyconnect-essentials username * password * encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map type inspect ip-options router parameters router-alert action allow policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect ip-options router ! service-policy global_policy global prompt hostname context no call-home reporting anonymous При подключении через ASA VLC-плейер ничего не показыват, при подключении напрямую iptv есть. В поддержке провайдера сказали, что PIM у них выключен и маршрутизировать его не нужно. Прописываю на интерфейсах no pim, вот что в логах: 7 192.168.10.3 224.1.1.1 IGMP request discarded from 192.168.10.3 to inside:224.1.1.1 6 192.168.10.3 224.1.1.1 Deny IP from 192.168.10.14 to 224.1.1.1, IP options: ';Router Alert'; Если pim вернуть: 7 224.1.1.4 Built local-host outside:224.1.1.4, но изображения нет. debug igmp: IGMP: Processing group timers for 224.1.1.4 on inside IGMP: Send v2 Query on inside for group 224.1.1.4 IGMP: Received v2 Query on inside from 192.168.10.1 IGMP: Processing group timers for 224.1.1.4 on inside IGMP: EXCLUDE mode expired for 224.1.1.4 on inside IGMP: MRIB updated (*,224.1.1.4) : Success IGMP: group_db: delete group 224.1.1.4 on inside IGMP: Send v2 general Query on inside IGMP: Received v2 Query on inside from 192.168.10.1 IGMP: Received v2 Report on inside from 192.168.10.3 for 239.255.255.250 IGMP: Group 239.255.255.250 access denied on inside IGMP: Received v2 Report on inside from 192.168.10.3 for 224.0.0.252 IGMP: Report has illegal group address 224.0.0.252 IGMP: Received v2 Report on inside from 192.168.10.3 for 224.1.1.1 IGMP: Updating EXCLUDE group timer for 224.1.1.1 IGMP: Forward v2 Report for group 224.1.1.1 from 192.168.10.3 out interface outside sh mroute Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, I - Received Source Specific Host Report, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT Timers: Uptime/Expires Interface state: Interface, State (*, 224.1.1.5), 00:02:54/never, RP 0.0.0.0, flags: DPC Incoming interface: Null RPF nbr: 0.0.0.0 Immediate Outgoing interface list: inside, Null, 00:02:54/never В чём может быть дело и что за ';Router Alert';???