03-19-2011 07:50 AM - edited 03-11-2019 01:09 PM
I’ve been using a Cisco ASA 5505 Security Plus bundle for two years now without any problems. My previous Internet Service Provider was routing the external IP I was leasing directly through to my internal network without NAT which my ASA 5505 was working well with. Thus, I had configured my 5505 to provide NAT to my inside network which includes two subnets one for my workstations and internal "private" resources and a DMZ to provide access to my webserver, email server and two domain name servers; but restrict access to my internal; resources.
I recently changed my ISP to Verizon FiOS (which is providing me with 25 Mb bandwidth at a fraction of the cost of my old T1) which is set up to provide 5 Static externally facing IP numbers for my email, webserver and name servers;. The problem is the Verizon router doesn’t support my use of the ASA Appliance (at least not the way it is currently configured. Verizon recommend I purchase a business class router and use it in place of the one they provided with my installation. With this in mind, I bought a Cisco RVS4000. I have configured it to use the primary external IP number and have internet access; however, the new router is providing NAT addressing which the ASA is in conflict with (they are both using the same NAT IP range). I'm assuming the ASA 5505 is expecting to have access to the external IP addressed (since that is what it was getting before) and NOT NAT address. I have to admit I don’t know a lot about networking and am hoping someone can tell me how to configure the new router to either provide access to the five static external “real world” IP to my Cisco ASA Firewall. However, the Cisco Router forum suggested I should reach out the ASA 5505 forum to seek assistance
here. I'm open to other options and suggestion.
I just need to get my ASA 5505 back in the loop and would prefer to do this rather than go back to the Verizon router combined with a low end firewall. So, my questions are: Does the ASA 5505 expect real world External IP numbers? Or can it work with NAT addresses being fed to it from the router? And, if so, how do I configure the access rules and other items which are currently mapping to external numbers?
Sorry if I'm a bit lost here; but I'm a small business owner and struggling with some of the router networking issues and concepts. Any suggestions or tips will be greatly appreciated.
03-23-2011 04:27 AM
Hmmm, if your verizon router actually has the following as the IP:
Broadband IP
Address: 96.241.175.98
Subnet Mask: 255.255.255.0
Why is your ASA outside interface also has the same IP?
ASA: Outside 96.241.175.98
Also, Verizon router has 2 interfaces? which interface connects to your ASA outside interface, and what is the IP of that interface?
03-23-2011 12:06 PM
I just got a knowledgeable tech rep with Verizon FiOS who verified that I have five ADDITIONAL static IP and that these IP are:
96.241.175.98
96.241.175.99
96.241.175.100
96.241.175.101
96.241.175.102
96.241.175.103 (The original IP plus FIVE additional IP I'm paying extra for).
He verified that this is a class C network with the netmask of 255.255.255.0 and told me that since I removed the Actiontec router that came with the service I'm getting the static IP directly from the AlcatelOptical Network Terminal (ONT) and thus no router is involved or needed). He indicated that I could plug a laptop into the Ethernet cable coming out of the ONT and configure for any of the external IP I own and it would work. I will verify this if it helps!
He also asked which Cisco device I was using and when I told him he said he believes he knows what the issue is. He said there is a known issue between the Alcatel ONT and Cisco equipment because the Optical Network Terminal utilizes Gratuitous ARP which has caused problems with Cisco Firewalls not being able to see anything but the first IP of a set. He also indicated there was a patch from Cisco to address this problem. Could you do a little checking within Cisco to see if this is possibly the case here? If there is a patch (or other work around) how can I get it installed on my ASA 5505?
Thanks!
03-23-2011 06:04 PM
Proxy arp is enabled by default on Cisco ASA firewall.
You can check that by issueing "sh run all sysopt", and you should see a line that says:
no sysopt noproxyarp outside
If you see that line, it means proxy arp is enabled on the outside interface.
Next thing to check if the MAC address on the ASA outside interface: sh int e0/0 | i MAC
I believe you have connected eth0/0 to the Verizon router, right? if yes, then note down the MAC address.
Then, get access to the Verizon router, or call Verizon if you don't have access, and get them to check the ARP entry for the following IP:
96.241.175.98
96.241.175.99
96.241.175.100
96.241.175.101
96.241.175.102
96.241.175.103
and make sure that the ARP entries for all the above IP has MAC address of the ASA outside interface. If not, then that is the reason why it's not working. Note down the MAC address if it's not the ASA outside interface MAC address, and ask Verizon whose MAC addresses they are because they are not yours. Possibly it belongs to some other customers that are assigned in the same subnet.
03-24-2011 03:38 PM
Below is the requested information:
Verizon External Interface MAC Address: 00:1f:90:27:45:2f
Below is the ARP Table from the Verizon router:
ARP Table
IP Address MAC Address
192.168.1.4 00:24:8c:9d:2b:88
192.168.1.3 00:14:bf:3e:75:4e
96.241.175.1 00:90:1a:42:cc:61
96.241.175.98 00:1f:90:27:45:2f
Below are the results from running the two commands on my 5505:
Result of the command: "sh int e0/0 | i MAC"
MAC address 0025.84d3.5ff8, MTU not set (As you can see the MAC Address of the Verizon Router is NOT the same as the ASA 5505)
Result of the command: "sh run all sysopt"
nosysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
nosysopt nodnsalias inbound
nosysopt nodnsalias outbound
nosysopt radius ignore-secret
nosysopt noproxyarp inside
nosysopt noproxyarp outside
nosysopt noproxyarp dmz
I hope htis helps! - Wolf
03-24-2011 03:47 PM
I just got a call back from Verizon. This tech said he thinks he may have identified another "known issue" (they seem to have a lot of those) which has caused similar problems with devices. He requested I let you know that if the ASA 5505 can be set to receive ARP from the IP address of 0.0.0.0 that should resolve the problem. He didn't have a lot of additional information. Does this sound like it might be pertinent to issues I have been having?
03-24-2011 07:38 PM
Is This sounds more and more like a Verizon router issue, and it's funny that they keep telling us that it's an issue with other devices.
OK, let's go through our findings:
Verizon External Interface MAC Address: 00:1f:90:27:45:2f
Below is the ARP Table from the Verizon router:
IP Address MAC Address
96.241.175.1 00:90:1a:42:cc:61
96.241.175.98 00:1f:90:27:45:2f
Below are the results from running the two commands on my 5505:
MAC address 0025.84d3.5ff8, MTU not set (As you can see the MAC Address of the Verizon Router is NOT the same as the ASA 5505)
So Verizon External interface MAC address is 00:1f:90:27:45:2f, which is also the MAC address for 96.241.175.98 according to Verizon router. This is incorrect because Verizon has assigned IP Address of 96.241.175.98 for you to use, and it should have the ASA outside interface MAC address instead, ie: 0025.84d3.5ff8, so why does Verizon router has an arp entry with its own MAC address for an ip address that it assigns to you.
Is the Verizon router configured in bridge mode or routed mode?
03-25-2011 03:36 AM
When I got into my Verizon router set up it shows that I have TWO connections. One is the external Ethernet "Broadband"
connection and the other is "Network (home/Office) connection. Below are the configurations for both of these two connections. I notice the home/home (or Newtork) connection is list as a Bridge type connection).
Connection Description: Network: Broadband Connection
Status: Connected
Connection Type: Ethernet
MAC Address: 00:1f:90:27:45:2f
IP Address: 96.241.175.98
Subnet Mask: 255.255.255.0
Default Gateway: 96.241.175.1
DNS Server: 68.237.161.12 and 71.252.0.12
IP Address Distribution: Disabled
Received Packets: 76437
Sent Packets: 67182
Time Span: 13:16:46
Connection Description: Network: Network (Home/Office)
Status: Connected
Underlying Device: Ethernet
Connection Type: Bridge
MAC Address: 00:1f:90:94:e8:09
IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
IP Address Distribution: DHCP Server
Received Packets: 82316
Sent Packets: 228127
Time Span: 13:07:31
So, I guess it didn't sound like setting the ASA to receive ARP on the IP address of 0.0.0.0 would help?
Wolf
03-25-2011 04:02 AM
You can't assign the same IP Address on both router and ASA outside interface. This will never work.
Currently you have the following on your ASA:
interface Vlan2
nameif outside
security-level 0
ip address 96.241.175.98 255.255.255.0
Change the IP address on the ASA to a different IP, eg: 96.241.175.102.
And since you have used 96.241.175.102 as a static NAT entry, change the following:
no static (dmz,outside) 96.241.175.102 192.168.2.139 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 53 192.168.2.139 53 netmask 255.255.255.255 dns
static (dmz,outside) udp interface 53 192.168.2.139 53 netmask 255.255.255.255 dns
Since it's a DNS server, I've configured static PAT for the DNS ports. So it will be sharing the IP Address with the ASA. If this works, you will need to ask Verizon to give you another IP because they have stolen that IP from the 5 ip addresses that they have given you to be assigned on their router.
03-25-2011 06:17 PM
I changed the outside interface to 96.241.175.102 as suggested issued a Clear xlat and clear arp commands. I still have full outbound connectivity (indicating that the 5505 can use the new IP address); but I still can't reach any internal resources from the outside. Interestingly if I attempt to access the original ip of 96.241.175.98 I still get the message indicating it has denied an access attempt to that IP.
This would seem to indicate that the 5505 can still see inbound requests on that number while using the new 102 address. It just can't see anything on the other IPs. One important point to keep in mind is that when I remove the Verizon Router I'm no longer using ANY router so I'm not sure what issues that may or may not cause with using the .68 IP which WAS the router IP when I was using a router.
03-25-2011 06:23 PM
But 96.241.175.98 is assigned to your Verizon router, right?
So if you are not using the Verizon router at all, how is your ASA outside interface connected? What does it connect to?
03-25-2011 08:46 PM
I'm getting FiOS Internet via Fiber Optic so, as I under stand it, I get five IP from the Optical Network Translator (ONT) which in turn provides me an ethernet cable out which I can plug into a router, a firewall or even directly into a computer if I want to and the ONT provides me my five IP. The Verizon router was simply intended to provide me NAT and a built in firewall. So, while it is true the .98 IP was assigned to my router it was just because it was the first IP in my range of IP. Regarding the other potentual solution from Verizon, is there a way to set the ASA 5505 to receive ARP via the IP of 0.0.0.0? Since that was a recomended soltuion to this problem from Verizon I would like to at least rule it out a possbility of fixing this issue. Of course, remain open to any and all other suggestions as well!
I found the following posts on another forum that deals specifically with Verizon FiOS Fiber Optic Broadband:
On Verizon non-use of subnetting:
Be aware that Verizon does not currently establish separate subnets for the static IP range users, even though the address blocks they assign follow subnetting rules. (This issue appears to affect East Coast subscribers as well as at least one recent West Coast subscriber.)
Verizon's absence of subnetting can create routing problems for static customers. Specifically, other users on the same supernet may have difficulty reaching services you are offering. Possible solutions include Verizon correctly deploying their FIOS service, FIOS customers could utilize a transparent firewall, or customers can try IP translations such as 1:1 mappings.
On the best way to route Multiple Verizon WAN Static IP:
Verizon implements a pre-routed subnet. You have to use the IPs directly on the devices. This means 1 VLAN for the WAN addresses, or else they will not be able to communicate with their FiOS gateway. If you want your devices behind your Linksys you have to pick 1 of your 5 IPs and put that on your Linksys and run NAT.
I know its a pain how Verizon does this pre-routing BS, they should give you 1 WAN IP and route your subnet to that, like pretty much every other static IP internet provider. Any decent 10/100 unmanaged switch is fine unless you have the 150 plan, then of course you'd need a gigabit switch.
One suggestion:
I'd say keep Verizon's network on the Public side of the ASA, and do 1:1 NAT, with RFC1918 addresses on the Private interface. See >> en.wikipedia.org/wiki/Private_network regarding RFC1918. That's the way we roll at work -- RFC1918 on the 'inside', using 1:1 NAT into public addresses on the 'outside'. This way, your ASA still gets to be a router, versus a bridge, and all the Internet can access all your internal devices, depending on how you have your rules / conduits set up on the ASA.
A Second Suggestion:
You need a physical interface for each of your WAN IP's, you can't map a single MAC address to 5 layer 3 IP addresses. What you need is a switch off the ONT, and then your host devices or if you internally creating subnets, your routers
Does this provide any insight or help on how to solve this problem?
Message was edited by: CyberWolves
04-01-2011 02:23 PM
I thought suggestion 1 is how we are already connecting the ASA firewall, ie: connecting the ASA outside interface directly to the translator (ONT) that provides the ethernet connection. Bypass any router, etc.
Once you have that connected in that fashion, perform: clear xlate and clear arp on the ASA.
That would be exactly how Suggestion 1 is configured. The rest of the translation, ie: static 1:1 NAT, you already have them configured correctly, so nothing change in that perspective.
04-02-2011 03:29 PM
I hope some of this helps. Several people have reference adding a Switch between the ONT and ASA because of the way Verizon FiOS implements subnets; but I'm not sure what kind of switch or how to configure it. Thanks again for your continued attempts to help me with this. I wonder how the Verizon Action Tec Router was able to do this to its own internal firewall while everything else has such problems.
I issued both the cler xlat and clar arp commands as suggested; but still not able to reach my IP from outside my own network. I've been doing a lot of research on how FiOS provides static IP via Fiber and a lot of people are having issues. I posted on a couple of forums asking if anyone with a Cisco ASA 5505 had gotten this to work. While no one has come forward with a 5505 several people are using Cisco PIX or ASA devices other providers that use similar network designs as Verizon's FiOS). Several also understand specifically how Verizon FiOS has been implemented from a Network Design perspective and all acknowledge that it is NOT typical and DOES cause problems with devices like firewalls. These two postings are on dslreports.com and all the responses can be found under the below locations there:
SInce I can't post linksin the forum here, the two posstings are under the following topics and headings:
Forums > Equipment Support > Hardware By Brand > Cisco > [HELP] Tryin to get my ASA 5505 to Work with FiOS ONT and 5 Stat
and
Forums > US Telco Support > Verizon > Verizon Fiber Optics > Has anyone gotten a Cisco ASA 5505 to work FiOS Multiple IPs
I have also attached a text file with several of the commnes from the two forums (including some who have configured Cisco devices to work with these types of non-standard networks).
I hope some of this helps. Several people have referenced adding a Switch between the ONT and ASA because of the way Verizon FiOS implements subnets; but I'm not sure what kind of switch or how to configure it. Thanks again for your continued attempts to help me with this. I wonder how the Verizon Action Tec Router was able to do this to its own internal firewall while everything else has such problems.
- Wolf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide