Configuration note
        Tunneling IP Multicast through a PIX Firewall
                          11/1999
                PIX software version up to 4.4

To get multicast packets through a PIX, you have to tunnel it.
If this behavior changes in later PIX code, this document will be
updated. From the documentation:

"Note PIX Firewall does not pass multicast packets. Many routing
 protocols use multicast packets to transmit their data. If you
 need to send routing protocols across the PIX Firewall, configure
 the routers with the neighbor command. Cisco considers it inherently
 dangerous to send routing protocols across the PIX Firewall. If the
 routes on the unprotected interface are corrupted, the routes
 transmitted to the protected side of the firewall will pollute routers
 there as well."
 

The test topology:
 

 
                        +----+              +---+             +----+
multicast-----e0|4500|e3-----e0|PIX|e1-----e4|4700|e0-----receiver
source              +----+              +---+             +----+
                               tun0|                             |tun0
                          +------------TUNNEL-----------+
 

The PIX, like IOS NAT, provides firewall functionality. There is an
outside PIX interface and an inside PIX interface. The PIX defaults
are outside = ethernet0 and inside = ethernet 1. The inside network
is hidden from the outside network, so it's important to understand
what ip address to use when configuring the tunnel. The router on
the outside (4500) needs to use the outside global address, given by
the PIX for 4700's e4 interface, for it's tunnel destination address.
131.108.2.7 is the first available address in the pool of addresses
to be assigned. The 4700's e4 interface is assigned this address.

4500 config:

ip multicast-routing
!
interface Tunnel0
 ip unnumbered Ethernet3
 ip pim sparse-dense-mode
 tunnel source Ethernet3
 tunnel destination 131.108.2.7  <-outside address given to 4700's e4
!                                  'show xlate' on pix to find this.
interface Ethernet0
 ip address 131.108.3.1 255.255.255.0
 ip pim sparse-dense-mode
!
interface Ethernet3
 ip address 131.108.2.5  255.255.255.0
 

PIX Version 4.4(1) config:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 131.108.2.6 255.255.255.0
ip address inside 10.10.10.2 255.255.255.0
global (outside) 1 131.108.2.7-131.108.2.50 netmask 255.255.255.0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
conduit permit gre host 131.108.2.7 host 131.108.2.5
 

4700 config:

ip multicast-routing
ip mroute 131.108.0.0 255.255.0.0 Tunnel0
!
interface Tunnel0
 ip unnumbered Ethernet4
 ip pim sparse-dense-mode
 tunnel source Ethernet4
 tunnel destination 131.108.2.5
!
interface Ethernet0
 ip address 10.10.11.1 255.255.255.0
 ip pim sparse-dense-mode
!
interface Ethernet4
 ip address 10.10.10.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2