Ask a question
Search in U-verse Forums

Questions about your Smartphone data usage? Please join us here for a live “Ask an Expert” event on Wednesday, August 24th from 1-5 pm ET / 10am-2pm PT.

U-verse Forums

Reply
Posted Sep 1, 2012
4:57:20 PM
U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT

I have run into a show stopping problem with U-Verse Internet and static IP addresses.  This seems to be related to the feature set of the 2-Wire equipment that comes with the service.  If one has a Cisco ASA or PIx firewall, a Cisco router with the advanced security IOS, or any other business class router / firewall appliance, and that firewall/appliance is configured with a static IP on its external interface, and is configured to statically translate internal, non routable IP addresses to several of the static IP addresses available in the pool provided by AT&T, connectivity to and from those statically translated devices does NOT function.

In this example I will describe a standard configuration for a Cisco ASA firewall with static IPs from the ISP.  For Example, say you get a static block from AT&T with network address 52.40.30.0/29.  We know that a /29 means a subnet mask of 255.255.255.248 or simply 29 bit.  Assume that mask whenever you see an address in the 52.40.30.0 net in this example. Please forgive me if I listed someone's actual network.  It was unintentional.

Your usable addresses would be 52.40.30.1 - 52.40.30.5.  The U-Verse router (2-wire device) is assigned the address 52.40.30.6.  52.40.30.7 is broadcast, and 52.40.30.8 is AT&T's next customer's network.  So, you assign address 52.40.30.1/29 to your Cisco ASA firewall's external interface and connect it to the U-Verse router.  The ASA is the only device connected to the U-Verse router.  Let's say the internal network behind the ASA is 10.1.1.0/24.  So, we configure the ASA to statically translate 52.40.30.2 to 10.1.1.100 (web server).  Then, we configure the ASA to statically translate 52.40.30.3 to 10.1.1.200 (SMTP mail gateway).  Finally, we configure a global address translation for all other hosts on the 10.1.1.0 net to be mapped to 52.40.30.4.

We continue by allowing HTTP and HTTPS inbound on the ASA to host 52.40.30.2, and SMTP inbound on the ASA to host 52.40.30.3.  None of it works.  Yet, had this been AT&T DSL with a Netopia (Motorola) Cayman router, or any other ISP and their business class routing equipment, it would work just fine.

The above is a standard and valid configuration, and is widely deployed in many environments that utilize static IPs.  We need this to be fixed.  This one issue prevents lots of businesses from installing AT&T U-Verse business internet with static IP addressing.  Please understand that an acceptable solution is NOT to configure the ASA to get its external IP address via DHCP.  Nobody does that when assigned static IPs from an ISP.

One would think this could be resolved by issuing a firmware update to the 2-Wire router.  When the 2-Wire U-Verse router is installed at a business, and is only responsible for Internet access, business IT personnel should be able to configure the device to allow a single connection to a business class router or firewall from the U-Verse router, that DOES support static address translation handled by the customers equipment.  One should also be able to completely turn off any firewall and advanced functionality of the U-Verse router, and have it only function as a gateway to the AT&T network, and route traffic destined for the static IP network assigned to the customer's network to the customer's router/firewall appliance.

Will this be fixed anytime soon?  Please let me know.

Sorry for the long winded message.  However, I am sure others are having this problem, and unless something has changed, there is currently no resolution other than going back to DSL or switching ISPs.

Thank you.

I have run into a show stopping problem with U-Verse Internet and static IP addresses.  This seems to be related to the feature set of the 2-Wire equipment that comes with the service.  If one has a Cisco ASA or PIx firewall, a Cisco router with the advanced security IOS, or any other business class router / firewall appliance, and that firewall/appliance is configured with a static IP on its external interface, and is configured to statically translate internal, non routable IP addresses to several of the static IP addresses available in the pool provided by AT&T, connectivity to and from those statically translated devices does NOT function.

In this example I will describe a standard configuration for a Cisco ASA firewall with static IPs from the ISP.  For Example, say you get a static block from AT&T with network address 52.40.30.0/29.  We know that a /29 means a subnet mask of 255.255.255.248 or simply 29 bit.  Assume that mask whenever you see an address in the 52.40.30.0 net in this example. Please forgive me if I listed someone's actual network.  It was unintentional.

Your usable addresses would be 52.40.30.1 - 52.40.30.5.  The U-Verse router (2-wire device) is assigned the address 52.40.30.6.  52.40.30.7 is broadcast, and 52.40.30.8 is AT&T's next customer's network.  So, you assign address 52.40.30.1/29 to your Cisco ASA firewall's external interface and connect it to the U-Verse router.  The ASA is the only device connected to the U-Verse router.  Let's say the internal network behind the ASA is 10.1.1.0/24.  So, we configure the ASA to statically translate 52.40.30.2 to 10.1.1.100 (web server).  Then, we configure the ASA to statically translate 52.40.30.3 to 10.1.1.200 (SMTP mail gateway).  Finally, we configure a global address translation for all other hosts on the 10.1.1.0 net to be mapped to 52.40.30.4.

We continue by allowing HTTP and HTTPS inbound on the ASA to host 52.40.30.2, and SMTP inbound on the ASA to host 52.40.30.3.  None of it works.  Yet, had this been AT&T DSL with a Netopia (Motorola) Cayman router, or any other ISP and their business class routing equipment, it would work just fine.

The above is a standard and valid configuration, and is widely deployed in many environments that utilize static IPs.  We need this to be fixed.  This one issue prevents lots of businesses from installing AT&T U-Verse business internet with static IP addressing.  Please understand that an acceptable solution is NOT to configure the ASA to get its external IP address via DHCP.  Nobody does that when assigned static IPs from an ISP.

One would think this could be resolved by issuing a firmware update to the 2-Wire router.  When the 2-Wire U-Verse router is installed at a business, and is only responsible for Internet access, business IT personnel should be able to configure the device to allow a single connection to a business class router or firewall from the U-Verse router, that DOES support static address translation handled by the customers equipment.  One should also be able to completely turn off any firewall and advanced functionality of the U-Verse router, and have it only function as a gateway to the AT&T network, and route traffic destined for the static IP network assigned to the customer's network to the customer's router/firewall appliance.

Will this be fixed anytime soon?  Please let me know.

Sorry for the long winded message.  However, I am sure others are having this problem, and unless something has changed, there is currently no resolution other than going back to DSL or switching ISPs.

Thank you.

0
(0)
  • Rate this reply
View profile
Solved
Sep 1, 2012 5:13:45 PM
0
(0)
Expert

Well, I have bad news. Smiley Sad

 

The bad news is that you have run into a well-known issue with the 2Wire router.  The 2Wire series of routers violate many RFCs, not the least of which is that it abuses the ARP protocol to maintain its internal list of connected devices.  The caveat and RFC-violating side effect is that the 2Wire cannot deal with a multihomed host; i.e. you cannot assign more than one IP address to the same MAC address, otherwise the 2Wire will not properly communicate with it.

 

As you have found, attempting to assign multiple IP addresses to the outside interface of your ASA results in this exact scenario since the outside interface has only one MAC address.

 

There is a work-around for this if your ASA can run Hot Standby Router Protocol (HSRP).  I don't know if they can or not, I've never worked with the ASAs, only with Cisco's routers, like the 2800 series.  But if you can, see the following post for a way to use HSRP to work-around the 2Wire's limitation:

 

http://forums.att.com/t5/Features-and-How-To/How-to-fake-bridged-mode-with-U-Verse/m-p/2859191

 

 

Accepted Solution

U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT

4,877 views
7 replies
(0) Me too
(0) Me too
Reply
View all replies
(7)
0
(0)
  • Rate this reply
View profile
Solved
Sep 1, 2012 5:13:45 PM
0
(0)
Expert

Well, I have bad news. Smiley Sad

 

The bad news is that you have run into a well-known issue with the 2Wire router.  The 2Wire series of routers violate many RFCs, not the least of which is that it abuses the ARP protocol to maintain its internal list of connected devices.  The caveat and RFC-violating side effect is that the 2Wire cannot deal with a multihomed host; i.e. you cannot assign more than one IP address to the same MAC address, otherwise the 2Wire will not properly communicate with it.

 

As you have found, attempting to assign multiple IP addresses to the outside interface of your ASA results in this exact scenario since the outside interface has only one MAC address.

 

There is a work-around for this if your ASA can run Hot Standby Router Protocol (HSRP).  I don't know if they can or not, I've never worked with the ASAs, only with Cisco's routers, like the 2800 series.  But if you can, see the following post for a way to use HSRP to work-around the 2Wire's limitation:

 

http://forums.att.com/t5/Features-and-How-To/How-to-fake-bridged-mode-with-U-Verse/m-p/2859191

 

 

Well, I have bad news. Smiley Sad

 

The bad news is that you have run into a well-known issue with the 2Wire router.  The 2Wire series of routers violate many RFCs, not the least of which is that it abuses the ARP protocol to maintain its internal list of connected devices.  The caveat and RFC-violating side effect is that the 2Wire cannot deal with a multihomed host; i.e. you cannot assign more than one IP address to the same MAC address, otherwise the 2Wire will not properly communicate with it.

 

As you have found, attempting to assign multiple IP addresses to the outside interface of your ASA results in this exact scenario since the outside interface has only one MAC address.

 

There is a work-around for this if your ASA can run Hot Standby Router Protocol (HSRP).  I don't know if they can or not, I've never worked with the ASAs, only with Cisco's routers, like the 2800 series.  But if you can, see the following post for a way to use HSRP to work-around the 2Wire's limitation:

 

http://forums.att.com/t5/Features-and-How-To/How-to-fake-bridged-mode-with-U-Verse/m-p/2859191

 

 

Re: U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT

2 of 8 (4,872 Views)
Solution
0
(0)
  • Rate this reply
View profile
Sep 5, 2012 2:20:34 AM
0
(0)
Tutor
Thank you SomeJoe7777. I will read the post from your link. It is very disappointing that AT&T knows how adversely this affects their business U-Verse Internet product, and yet won't do anything to change it.
Thank you SomeJoe7777. I will read the post from your link. It is very disappointing that AT&T knows how adversely this affects their business U-Verse Internet product, and yet won't do anything to change it.

Re: U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT

3 of 8 (4,646 Views)
0
(0)
  • Rate this reply
View profile
Sep 5, 2012 5:41:11 AM
0
(0)
ACE - Expert

There's "knowing it has adverse impacts" and "knowing it has enough adverse impact to justify the expense of getting the firmware changed and tested."

 

While the first may be true, the second is apparently not.  It may be that the right decision maker doesn't even know.

 

OTOH, AT&T may be deliberately allowing this bug to remain to discourage use of AT&T Uverse by businesses in place of a "real" Internet Service offering.

 

There's "knowing it has adverse impacts" and "knowing it has enough adverse impact to justify the expense of getting the firmware changed and tested."

 

While the first may be true, the second is apparently not.  It may be that the right decision maker doesn't even know.

 

OTOH, AT&T may be deliberately allowing this bug to remain to discourage use of AT&T Uverse by businesses in place of a "real" Internet Service offering.

 

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.

Re: U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT

4 of 8 (4,636 Views)
0
(0)
  • Rate this reply

Re: U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT

5 of 8 (4,323 Views)
Highlighted
0
(0)
  • Rate this reply

Re: U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT

6 of 8 (4,319 Views)
0
(0)
  • Rate this reply
View profile
Feb 10, 2014 4:46:50 PM
0
(0)
Tutor

Hi SomeJoe7777:

 

I see this ARP problem is still an issue even after the 2-Wire to Pace transition.  I was hoping you or someone else had discovered a new firmware revision by now, or perhaps a different U-Verse gateway that could be used.  If you have time, please let me know.  Thank you.

 

Hi SomeJoe7777:

 

I see this ARP problem is still an issue even after the 2-Wire to Pace transition.  I was hoping you or someone else had discovered a new firmware revision by now, or perhaps a different U-Verse gateway that could be used.  If you have time, please let me know.  Thank you.

 

Re: U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT

7 of 8 (1,080 Views)
0
(0)
  • Rate this reply
View profile
Feb 10, 2014 8:41:51 PM
0
(0)
Expert
Unfortunately, this issue has not changed. All Pace modems, even with current firmware revisions, still have this limitation.
Unfortunately, this issue has not changed. All Pace modems, even with current firmware revisions, still have this limitation.

Re: U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT

8 of 8 (1,067 Views)
Share this post
Share this post