[cciesec2006]

I have a requirement to make multicast work across Checkpoint
firewalls NGx R65 with HFA_02 SPLAT ASAP.

Scenario:

I have a Windows Media Server on VLAN_A. VLAN_A is in
IP address of 192.168.1.64/28. Windows media server
IP address is 192.168.70/28. Windows media server's
default gateway is 192.168.1.65.

I have a Cisco router 3845 running IOS 12.4. This
cisco router is in both VLAN_A and VLAN_B. In VLAN_A,
the router has an ip address of 192.168.65/28. In VLAN_B,
it has an IP address of 192.168.1.4/28. The router
has a default gateway of 192.168.1.1.

I enable multicast PIM dense mode on the router. Hosts
on VLAN_B can get multicast audio/video streaming from
the Windows media server without any issues.

I have a pair of checkpoint NGx R65 with hfa_02 SPLAT
firewalls running in Active/Active mode. Internal
network is VLAN_B. External network is in VLAN_C.
Sync connectivity is in VLAN_D, as follows:

fwA = 192.168.1.2/28, 192.168.0.2/24, sync( 10.1.1.1/28)
fwB = 192.168.1.3/28 192.168.0.3/24 sync (10.1.1.2/28)
VIP = 192.168.1.1/28 192.168.0.1/24


I have SPLAT PRO on the enforcement modules so PIM is there.
I have rule on the firewall to allow EVERYTHING. In other
words, it is "Any Any Any Accept log".

Hosts on VLAN_C can get to hosts on VLAN_A without any ssues.
The issue is that I can NOT get multicast traffics to go across
the firewall. When I am on the router, I see this:

Cisco>sh ip pim nei
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
S - State Refresh Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
192.168.1.1 FastEthernet1/0 07:57:10/00:01:35 v2 1 / DR
Cisco>

On the SPLAT firewall, I see this:
localhost.localdomain#sh ip pim nei
PIM Neighbor Table
Neighbor Address Interface Uptime Expires Mode
192.168.1.4 eth1 2d18h 00:01:29 dense
localhost.localdomain#


What it means is that both the firewall and the router can see each other as
PIM neighbor but multicast traffics do not work.

Anyone know why?