09-01-2012 4:57 PM
I have run into a show stopping problem with U-Verse Internet and static IP addresses. This seems to be related to the feature set of the 2-Wire equipment that comes with the service. If one has a Cisco ASA or PIx firewall, a Cisco router with the advanced security IOS, or any other business class router / firewall appliance, and that firewall/appliance is configured with a static IP on its external interface, and is configured to statically translate internal, non routable IP addresses to several of the static IP addresses available in the pool provided by AT&T, connectivity to and from those statically translated devices does NOT function.
In this example I will describe a standard configuration for a Cisco ASA firewall with static IPs from the ISP. For Example, say you get a static block from AT&T with network address 22.214.171.124/29. We know that a /29 means a subnet mask of 255.255.255.248 or simply 29 bit. Assume that mask whenever you see an address in the 126.96.36.199 net in this example. Please forgive me if I listed someone's actual network. It was unintentional.
Your usable addresses would be 188.8.131.52 - 184.108.40.206. The U-Verse router (2-wire device) is assigned the address 220.127.116.11. 18.104.22.168 is broadcast, and 22.214.171.124 is AT&T's next customer's network. So, you assign address 126.96.36.199/29 to your Cisco ASA firewall's external interface and connect it to the U-Verse router. The ASA is the only device connected to the U-Verse router. Let's say the internal network behind the ASA is 10.1.1.0/24. So, we configure the ASA to statically translate 188.8.131.52 to 10.1.1.100 (web server). Then, we configure the ASA to statically translate 184.108.40.206 to 10.1.1.200 (SMTP mail gateway). Finally, we configure a global address translation for all other hosts on the 10.1.1.0 net to be mapped to 220.127.116.11.
We continue by allowing HTTP and HTTPS inbound on the ASA to host 18.104.22.168, and SMTP inbound on the ASA to host 22.214.171.124. None of it works. Yet, had this been AT&T DSL with a Netopia (Motorola) Cayman router, or any other ISP and their business class routing equipment, it would work just fine.
The above is a standard and valid configuration, and is widely deployed in many environments that utilize static IPs. We need this to be fixed. This one issue prevents lots of businesses from installing AT&T U-Verse business internet with static IP addressing. Please understand that an acceptable solution is NOT to configure the ASA to get its external IP address via DHCP. Nobody does that when assigned static IPs from an ISP.
One would think this could be resolved by issuing a firmware update to the 2-Wire router. When the 2-Wire U-Verse router is installed at a business, and is only responsible for Internet access, business IT personnel should be able to configure the device to allow a single connection to a business class router or firewall from the U-Verse router, that DOES support static address translation handled by the customers equipment. One should also be able to completely turn off any firewall and advanced functionality of the U-Verse router, and have it only function as a gateway to the AT&T network, and route traffic destined for the static IP network assigned to the customer's network to the customer's router/firewall appliance.
Will this be fixed anytime soon? Please let me know.
Sorry for the long winded message. However, I am sure others are having this problem, and unless something has changed, there is currently no resolution other than going back to DSL or switching ISPs.
Solved by: Go to Solution.
09-01-2012 5:13 PM
Well, I have bad news.
The bad news is that you have run into a well-known issue with the 2Wire router. The 2Wire series of routers violate many RFCs, not the least of which is that it abuses the ARP protocol to maintain its internal list of connected devices. The caveat and RFC-violating side effect is that the 2Wire cannot deal with a multihomed host; i.e. you cannot assign more than one IP address to the same MAC address, otherwise the 2Wire will not properly communicate with it.
As you have found, attempting to assign multiple IP addresses to the outside interface of your ASA results in this exact scenario since the outside interface has only one MAC address.
There is a work-around for this if your ASA can run Hot Standby Router Protocol (HSRP). I don't know if they can or not, I've never worked with the ASAs, only with Cisco's routers, like the 2800 series. But if you can, see the following post for a way to use HSRP to work-around the 2Wire's limitation:
09-05-2012 2:20 AM
09-05-2012 5:41 AM
There's "knowing it has adverse impacts" and "knowing it has enough adverse impact to justify the expense of getting the firmware changed and tested."
While the first may be true, the second is apparently not. It may be that the right decision maker doesn't even know.
OTOH, AT&T may be deliberately allowing this bug to remain to discourage use of AT&T Uverse by businesses in place of a "real" Internet Service offering.
09-23-2012 6:01 AM
09-23-2012 6:03 AM
02-10-2014 4:46 PM
I see this ARP problem is still an issue even after the 2-Wire to Pace transition. I was hoping you or someone else had discovered a new firmware revision by now, or perhaps a different U-Verse gateway that could be used. If you have time, please let me know. Thank you.
02-10-2014 8:41 PM
Visit these related resourcesView New Device Help!