I just got a knowledgeable tech rep with Verizon FiOS who verified that I have five ADDITIONAL static IP and that these IP are:

96.241.175.98

96.241.175.99

96.241.175.100

96.241.175.101

96.241.175.102

96.241.175.103 (The original IP plus FIVE additional IP I'm paying extra for).

He verified that this is a class C network with the netmask of 255.255.255.0 and told me that since I removed the Actiontec router that came with the service I'm getting the static IP directly from the AlcatelOptical Network Terminal (ONT) and thus no router is involved or needed). He indicated that I could plug a laptop into the Ethernet cable coming out of the ONT and configure for any of the external IP I own and it would work. I will verify this if it helps!

He also asked which Cisco device I was using and when I told him he said he believes he knows what the issue is. He said there is a known issue between the Alcatel ONT and Cisco equipment because the Optical Network Terminal utilizes Gratuitous ARP which has caused problems with Cisco Firewalls not being able to see anything but the first IP of a set. He also indicated there was a patch from Cisco to address this problem. Could you do a little checking within Cisco to see if this is possibly the case here?  If there is a patch (or other work around) how can I get it installed on my ASA 5505?

Thanks!

Proxy arp is enabled by default on Cisco ASA firewall.

You can check that by issueing "sh run all sysopt", and you should see a line that says:

no sysopt noproxyarp outside

If you see that line, it means proxy arp is enabled on the outside interface.

Next thing to check if the MAC address on the ASA outside interface: sh int e0/0 | i MAC

I believe you have connected eth0/0 to the Verizon router, right? if yes, then note down the MAC address.

Then, get access to the Verizon router, or call Verizon if you don't have access, and get them to check the ARP entry for the following IP:

96.241.175.98

96.241.175.99

96.241.175.100

96.241.175.101

96.241.175.102

96.241.175.103

and make sure that the ARP entries for all the above IP has MAC address of the ASA outside interface. If not, then that is the reason why it's not working. Note down the MAC address if it's not the ASA outside interface MAC address, and ask Verizon whose MAC addresses they are because they are not yours. Possibly it belongs to some other customers that are assigned in the same subnet.

Below is the requested information:

Verizon External Interface MAC Address: 00:1f:90:27:45:2f

Below is the ARP Table from the Verizon router:

ARP Table

IP Address MAC  Address

192.168.1.4 00:24:8c:9d:2b:88     

192.168.1.3 00:14:bf:3e:75:4e

96.241.175.1 00:90:1a:42:cc:61

96.241.175.98 00:1f:90:27:45:2f

Below are the results from running the two commands on my 5505:

Result of the command: "sh int e0/0 | i MAC"

MAC address 0025.84d3.5ff8, MTU not set (As you can see the MAC Address of the Verizon Router is NOT the same as the ASA 5505)

Result of the command: "sh run all sysopt"

nosysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

nosysopt nodnsalias inbound

nosysopt nodnsalias outbound

nosysopt radius ignore-secret

nosysopt noproxyarp inside

nosysopt noproxyarp outside

nosysopt noproxyarp dmz

I hope htis helps!  - Wolf

I just got a call back from Verizon. This tech said he thinks he may have identified another "known issue" (they seem to have a lot of those) which has caused similar problems with devices. He requested I let you know that if the ASA 5505 can be set to receive ARP from the IP address of 0.0.0.0 that should resolve the problem. He didn't have a lot of additional information. Does this sound like it might be pertinent to issues I have been having?

Is This sounds more and more like a Verizon router issue, and it's funny that they keep telling us that it's an issue with other devices.

OK, let's go through our findings:

Verizon External Interface MAC Address: 00:1f:90:27:45:2f

Below is the ARP Table from the Verizon router:

IP Address MAC  Address

96.241.175.1 00:90:1a:42:cc:61

96.241.175.98 00:1f:90:27:45:2f

Below are the results from running the two commands on my 5505:

MAC address 0025.84d3.5ff8, MTU not set (As you can see the MAC Address of the Verizon Router is NOT the same as the ASA 5505)

So Verizon External interface MAC address is 00:1f:90:27:45:2f, which is also the MAC address for 96.241.175.98 according to Verizon router. This is incorrect because Verizon has assigned IP Address of 96.241.175.98 for you to use, and it should have the ASA outside interface MAC address instead, ie: 0025.84d3.5ff8, so why does Verizon router has an arp entry with its own MAC address for an ip address that it assigns to you.

Is the Verizon router configured in bridge mode or routed mode?

When I got into my Verizon router set up it shows that I have TWO connections. One is the external Ethernet "Broadband"
connection and the other is "Network (home/Office) connection. Below are the configurations for both of these two connections. I notice the home/home (or Newtork) connection is list as a Bridge type connection).

Connection Description: Network: Broadband Connection

Status: Connected

Connection Type: Ethernet

MAC Address: 00:1f:90:27:45:2f

IP Address: 96.241.175.98

Subnet Mask: 255.255.255.0

Default Gateway: 96.241.175.1

DNS Server: 68.237.161.12 and 71.252.0.12

IP Address Distribution: Disabled

Received Packets: 76437

Sent Packets: 67182

Time Span: 13:16:46

Connection Description: Network: Network (Home/Office)

Status: Connected

Underlying Device: Ethernet

Connection Type: Bridge

MAC Address: 00:1f:90:94:e8:09

IP Address: 192.168.1.1

Subnet Mask: 255.255.255.0

IP Address Distribution: DHCP Server

Received Packets: 82316

Sent Packets: 228127

Time Span: 13:07:31

So, I guess it didn't sound like setting the ASA to receive ARP on the IP address of 0.0.0.0 would help?

Wolf

You can't assign the same IP Address on both router and ASA outside interface. This will never work.

Currently you have the following on your ASA:

interface Vlan2
nameif outside
security-level 0
ip address 96.241.175.98 255.255.255.0

Change the IP address on the ASA to a different IP, eg: 96.241.175.102.

And since you have used 96.241.175.102 as a static NAT entry, change the following:

no static (dmz,outside) 96.241.175.102 192.168.2.139 netmask 255.255.255.255 dns

static (dmz,outside) tcp interface 53 192.168.2.139 53 netmask 255.255.255.255 dns

static (dmz,outside) udp interface 53 192.168.2.139 53 netmask 255.255.255.255 dns

Since it's a DNS server, I've configured static PAT for the DNS ports. So it will be sharing the IP Address with the ASA. If this works, you will need to ask Verizon to give you another IP because they have stolen that IP from the 5 ip addresses that they have given you to be assigned on their router.

I changed the outside interface to 96.241.175.102 as suggested issued a Clear xlat and clear arp commands. I still have full outbound connectivity (indicating that the 5505 can use the new IP address); but I still can't reach any internal resources from the outside. Interestingly if I attempt to access the original ip of 96.241.175.98 I still get the message indicating it has denied an access attempt to that IP.

This would seem to indicate that the 5505 can still see inbound requests on that number while using the new 102 address. It just can't see anything on the other IPs. One important point to keep in mind is that when I remove the Verizon Router I'm no longer using ANY router so I'm not sure what issues that may or may not cause with using the .68 IP which WAS the router IP when I was using a router.

But 96.241.175.98 is assigned to your Verizon router, right?

So if you are not using the Verizon router at all, how is your ASA outside interface connected? What does it connect to?

I'm getting FiOS Internet via Fiber Optic so, as I under stand it, I get five IP from the Optical Network Translator (ONT) which in turn provides me an ethernet cable out which I can plug into a router, a firewall or even directly into a computer if I want to and the ONT provides me my five IP.  The Verizon router was simply intended to provide me NAT and a built in firewall.  So, while it is true the .98 IP was assigned to my router it was just because it was the first IP in my range of IP.  Regarding the other potentual solution from Verizon, is there a way to set the ASA 5505 to receive ARP via the IP of 0.0.0.0?  Since that was a recomended soltuion to this problem from Verizon I would like to at least rule it out a possbility of fixing this issue. Of course, remain open to any and all other suggestions as well!

I found the following posts on another forum that deals specifically with Verizon FiOS Fiber Optic Broadband:

On Verizon non-use of subnetting:

Be aware that Verizon does not currently establish separate subnets for the static IP range users, even though the address blocks they assign follow subnetting rules. (This issue appears to affect East Coast subscribers as well as at least one recent West Coast subscriber.)



Verizon's absence of subnetting can create routing problems for static customers. Specifically, other users on the same supernet may  have difficulty reaching services you are offering. Possible solutions include Verizon correctly deploying their FIOS service, FIOS customers could utilize a transparent firewall, or customers can try IP translations such as 1:1 mappings.

On the best way to route Multiple Verizon WAN Static IP:

Verizon implements a pre-routed subnet. You have to use the IPs directly on the devices. This means 1 VLAN for the WAN addresses, or else they will not be able to communicate with their FiOS gateway. If you want your devices behind your Linksys you have to pick 1 of your 5 IPs and put that on your Linksys and run NAT. 



I know its a pain how Verizon does this pre-routing BS, they should give you 1 WAN IP and route your subnet to that, like pretty much every other static IP internet provider. Any decent 10/100 unmanaged switch is fine unless you have the 150 plan, then of course you'd need a gigabit switch.

One suggestion:

I'd say keep Verizon's network on the Public side of the ASA, and do 1:1 NAT, with RFC1918 addresses on the Private interface. See >> en.wikipedia.org/wiki/Private_network regarding RFC1918. That's the way we roll at work -- RFC1918 on the 'inside', using 1:1 NAT into public addresses on the 'outside'. This way, your ASA still gets to be a router, versus a bridge, and all the Internet can access all your internal devices, depending on how you have your rules / conduits set up on the ASA.

Does this provide any insight or help on how to solve this problem?

Message was edited by: CyberWolves

I thought suggestion 1 is how we are already connecting the ASA firewall, ie: connecting the ASA outside interface directly to the translator (ONT) that provides the ethernet connection. Bypass any router, etc.

Once you have that connected in that fashion, perform: clear xlate and clear arp on the ASA.

That would be exactly how Suggestion 1 is configured. The rest of the translation, ie: static 1:1 NAT, you already have them configured correctly, so nothing change in that perspective.

I hope some of this helps.  Several people have reference adding a Switch between the ONT and ASA because of the way Verizon FiOS implements subnets; but I'm not sure what kind of switch or how to configure it.  Thanks again for your continued attempts to help me with this.  I wonder how the Verizon Action Tec Router was able to do this to its own internal firewall while everything else has such problems.

I issued both the cler xlat and clar arp commands as suggested; but still not able to reach my IP from outside my own network.  I've been doing a lot of research on how FiOS provides static IP via Fiber and a lot of people are having issues.  I posted on a couple of forums asking if anyone with a Cisco ASA 5505 had gotten this to work.  While no one has come forward with a 5505 several people are using Cisco PIX or ASA devices other providers that use similar network designs as Verizon's FiOS).   Several also understand specifically how Verizon FiOS has been implemented from a Network Design perspective and all acknowledge that it is NOT typical and DOES cause problems with devices like firewalls.  These two postings are on dslreports.com and all the responses can be found under the below locations there:

SInce I can't post linksin the forum here, the two posstings are under the following topics and headings:

Forums > Equipment Support > Hardware By Brand > Cisco > [HELP] Tryin to get my ASA 5505 to Work with FiOS ONT and 5 Stat

and

Forums > US Telco Support > Verizon > Verizon Fiber Optics > Has anyone gotten a Cisco ASA 5505 to work FiOS Multiple IPs

I have also attached a text file with several of the commnes from the two forums (including some who have configured Cisco devices to work with these types of non-standard networks).

I hope some of this helps.  Several people have referenced adding a Switch between the ONT and ASA because of the way Verizon FiOS implements subnets; but I'm not sure what kind of switch or how to configure it.  Thanks again for your continued attempts to help me with this.  I wonder how the Verizon Action Tec Router was able to do this to its own internal firewall while everything else has such problems.

- Wolf