Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2778
Views
0
Helpful
4
Replies

connecting ASA 5510s to a DSL modem with a static IP range

eureka.admin
Level 1
Level 1

‎02-28-2013 03:13 PM - edited ‎03-11-2019 06:07 PM

I have DSL service with AT&T and I have a Motorola 3360 modem.  We also have a /28 network of static IPs from AT&T.  When I login using PPPoE on the modem it gets x.x.x.190 as it's address.  Our range is 177-190.  I have two ASA 5510s in an active/passive failover configuration with the Ethernet port of the modem and one interface of each of the ASAs on a dumb layer 2 switch. 

I want to setup this DSL connection as a backup to our main Internet connection.  I cannot figure out what setting on the DSL modem to use to make this happen.  I know I cannot use PPPoE in a failover setting so I can't have the modem in bridged mode.  There is some mode where it passes the 190 address to the connected device and when I plug in a PC directly to the modem and set it for DHCP it does get 190 as it's address.  So do I configure the ASA interface as 190 with one of the other addresses as it's standby?  What do I set my route on the ASA to for use of this connection?  Can I then make use of these other static addresses when plugging other devices into the layer 2 switch?

Labels:
0 Helpful
4 Replies 4

Thomas Gronke
Level 1
Level 1

‎02-28-2013 04:49 PM

Help clarify your question with a few more details.  I believe you are seeking assistance on several tasks:

1.  Setting up the ASA as a DHCP client on the interface connected towards the DSL modem

2.  Verifying the DHCP connection either is maintained or quickly re-established when a failover occurs from one ASA to the other

3.  How to set up routing on the ASA to use the DSL connection as a backup

You do not mention much about your primary internet connection and how it is linked today to the ASA. 

Is it linked to the same dumb layer 2 switch? 

If the internet connection is attached to router, do you manage the router or does your ISP?

Is this internet router participating in any routing protocol (BGP, RIP, other) with any routers that you manage on site?

Does your primary internet connection also issue you a range of static IPv4 addresses or just an IP address for the router?

For other newbies like me,

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml describes how PPPoE is only supported when the firewall is in single mode (no failvoer) and routing (not transparent).

Also try contacting AT&T for help, since a block of static IP addresses is more than a basic service.  As I found at

http://forums.untangle.com/networking/31113-pppoe-static-ip.html , other folks have encountered a similar problem.

0 Helpful

eureka.admin
Level 1
Level 1
In response to Thomas Gronke

‎02-28-2013 05:52 PM

So I don't want to use DHCP at all.  We have a static block of addresses and I want to use those on the ASAs.  I do know how to setup routing on the ASA for using a backup connection but I just don't know what the gateway address will be in this type of a configuration.

Our primary connection is a cable modem with a static block of addresses.  The way this is setup is that I connected the modem and both interfaces of the ASA to another dumb layer 2 switch and assigned the ASA interfaces one of the addresses from our static range and another for the standby address.  The default route is to the modem or something on our cable provider's network.  I actually have never looked at the configuration of that modem so I don't know where that address actually lies.  We have no other routers in our network between the modems and the ASAs.

I guess the issue here is a difference in the way DSL modems vs. cable modems operate.  Perhaps the cable modem is in some kind of bridging mode where I can use my static block with no problem.  However putting the DSL modem in bridging mode requires the use of PPPoE on the ASAs which I can't do because of the failover situation.  I just don't see a way with this DSL modem to make use of the static block; as it's default configuration is to assign DHCP addresses on some 192.168 network to the Ethernet port.  I basically need that Ethernet port on the modem to have that 190 address and have the PPPoE login done on the modem.  Perhaps it's just not possible with this brand of modem.  And all the DSL/ASA setups I see are using bridging mode on the modem and the setroute command on the ASA interface with a PPPoE config on the ASA.  Of course none of these are in a failover config.

I might end up having to contact AT&T for their recommended configuration which probably includes a different modem which has more advanced capabilities or sticking another device inbetween the modem and the ASA.

0 Helpful

Thomas Gronke
Level 1
Level 1
In response to eureka.admin

‎03-01-2013 10:37 AM

Thanks for your prompt response.  From your information, your network near the firewalls looks like this:

Your cable modem connects to your provider without any intervention from your equipment, and you are free to assign IP addresses from your assigned block.  The cable ISP knows to route traffic to your block down to the layer 2 segment attached to the cable mode. 

As you described, the Motorola 3360 DSL modem is an odd fish.  I do not have personal experience with that device,  but from internet searches that appears to be a model AT&T bundles with small business DSL service.  The 3360 appears to have three modes:

--router mode where it uses a single public IP on the WAN side and issues IP addresses in the 192.168.1.x range on the LAN side.  The modem performs the PPPoE function in this mode.

--hybrid mode where it gets a single public IP on the WAN side and then passes that through to one device connected on the LAN side.  The modem performs the PPPoE function in this mode.

--bridge mode.  A device on the LAN side must perform the PPPoE function.

Various links I found indicate folks with static IP address assignments from their ISP (usually AT&T) have difficulty getting those static IP addresses to work with the Motorol 3360 except in bridge mode.

To your original question, I'm guessing you match the configuration you performed on the cable modem side and use two of your static IPs for the ASA's.  Howver, it's unclear if the additional IP addresses will work with 3360's odd behavior.  If you have internet-exposed hosts (as shown in my simple drawing), try assigning some of the DSL static IPs to those hosts and test communications both ways -- host-->internet, internet-->host.  If possible, test two hosts at the same time to verify the 3360 can handle multiple public IPs at the same time (one posting I found claimed it could only handle one public IP address at a time).

0 Helpful

eureka.admin
Level 1
Level 1
In response to Thomas Gronke

‎03-01-2013 01:48 PM

Yeah that drawing is basically what I have setup.  I've tried using two of my statics as the interface IPs for the ASA just like my cable modem setup with pretty much all the modes of the modem and it just doesn't work.  I can't even assign one of the statics to a PC connected to the switch and have it work.  It will only work if you let it assign the 190 address to the PC using that public IP mode. If it's not in DHCP mode, it just seems the 3360 wants to assign 190 to anything that connects to it and that's pretty much it. 

In my searches too I have not come across anyone using a 3360 in the manner I want to use it.  I'll be contacting AT&T next. Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card