Tutor
•
4 Messages
U-Verse Business Internet with static IPs NOT working properly with Static / Global NAT
I have run into a show stopping problem with U-Verse Internet and static IP addresses. This seems to be related to the feature set of the 2-Wire equipment that comes with the service. If one has a Cisco ASA or PIx firewall, a Cisco router with the advanced security IOS, or any other business class router / firewall appliance, and that firewall/appliance is configured with a static IP on its external interface, and is configured to statically translate internal, non routable IP addresses to several of the static IP addresses available in the pool provided by AT&T, connectivity to and from those statically translated devices does NOT function.
In this example I will describe a standard configuration for a Cisco ASA firewall with static IPs from the ISP. For Example, say you get a static block from AT&T with network address 52.40.30.0/29. We know that a /29 means a subnet mask of 255.255.255.248 or simply 29 bit. Assume that mask whenever you see an address in the 52.40.30.0 net in this example. Please forgive me if I listed someone's actual network. It was unintentional.
Your usable addresses would be 52.40.30.1 - 52.40.30.5. The U-Verse router (2-wire device) is assigned the address 52.40.30.6. 52.40.30.7 is broadcast, and 52.40.30.8 is AT&T's next customer's network. So, you assign address 52.40.30.1/29 to your Cisco ASA firewall's external interface and connect it to the U-Verse router. The ASA is the only device connected to the U-Verse router. Let's say the internal network behind the ASA is 10.1.1.0/24. So, we configure the ASA to statically translate 52.40.30.2 to 10.1.1.100 (web server). Then, we configure the ASA to statically translate 52.40.30.3 to 10.1.1.200 (SMTP mail gateway). Finally, we configure a global address translation for all other hosts on the 10.1.1.0 net to be mapped to 52.40.30.4.
We continue by allowing HTTP and HTTPS inbound on the ASA to host 52.40.30.2, and SMTP inbound on the ASA to host 52.40.30.3. None of it works. Yet, had this been AT&T DSL with a Netopia (Motorola) Cayman router, or any other ISP and their business class routing equipment, it would work just fine.
The above is a standard and valid configuration, and is widely deployed in many environments that utilize static IPs. We need this to be fixed. This one issue prevents lots of businesses from installing AT&T U-Verse business internet with static IP addressing. Please understand that an acceptable solution is NOT to configure the ASA to get its external IP address via DHCP. Nobody does that when assigned static IPs from an ISP.
One would think this could be resolved by issuing a firmware update to the 2-Wire router. When the 2-Wire U-Verse router is installed at a business, and is only responsible for Internet access, business IT personnel should be able to configure the device to allow a single connection to a business class router or firewall from the U-Verse router, that DOES support static address translation handled by the customers equipment. One should also be able to completely turn off any firewall and advanced functionality of the U-Verse router, and have it only function as a gateway to the AT&T network, and route traffic destined for the static IP network assigned to the customer's network to the customer's router/firewall appliance.
Will this be fixed anytime soon? Please let me know.
Sorry for the long winded message. However, I am sure others are having this problem, and unless something has changed, there is currently no resolution other than going back to DSL or switching ISPs.
Thank you.
Accepted Solution
Official Solution
SomeJoe7777
Expert
•
9.4K Messages
12 years ago
Well, I have bad news.
The bad news is that you have run into a well-known issue with the 2Wire router. The 2Wire series of routers violate many RFCs, not the least of which is that it abuses the ARP protocol to maintain its internal list of connected devices. The caveat and RFC-violating side effect is that the 2Wire cannot deal with a multihomed host; i.e. you cannot assign more than one IP address to the same MAC address, otherwise the 2Wire will not properly communicate with it.
As you have found, attempting to assign multiple IP addresses to the outside interface of your ASA results in this exact scenario since the outside interface has only one MAC address.
There is a work-around for this if your ASA can run Hot Standby Router Protocol (HSRP). I don't know if they can or not, I've never worked with the ASAs, only with Cisco's routers, like the 2800 series. But if you can, see the following post for a way to use HSRP to work-around the 2Wire's limitation:
http://forums.att.com/t5/Features-and-How-To/How-to-fake-bridged-mode-with-U-Verse/m-p/2859191
0
medmeone
Tutor
•
4 Messages
12 years ago
0
0
JefferMC
ACE - Expert
•
35K Messages
12 years ago
There's "knowing it has adverse impacts" and "knowing it has enough adverse impact to justify the expense of getting the firmware changed and tested."
While the first may be true, the second is apparently not. It may be that the right decision maker doesn't even know.
OTOH, AT&T may be deliberately allowing this bug to remain to discourage use of AT&T Uverse by businesses in place of a "real" Internet Service offering.
0
0
ngcbms
Tutor
•
5 Messages
12 years ago
http://forums.att.com/t5/Setup-and-Self-Install/Transitioning-from-ATT-Business-DSL-with-static-IPs-to/td-p/3308821
0
0
ngcbms
Tutor
•
5 Messages
12 years ago
0
0
medmeone
Tutor
•
4 Messages
10 years ago
Hi SomeJoe7777:
I see this ARP problem is still an issue even after the 2-Wire to Pace transition. I was hoping you or someone else had discovered a new firmware revision by now, or perhaps a different U-Verse gateway that could be used. If you have time, please let me know. Thank you.
0
0
SomeJoe7777
Expert
•
9.4K Messages
10 years ago
0
0