Multiple IP Addresses in Subnet on ASA each using unique MAC Addresses

[vickers507]

thread1598-1551478

I am trying to connect an ASA to a 2Wire Gateway. The problem is that the gateway uses MAC / Port Security to limit the MAC address to one (1) IP address. When I try to use 1-to-1 NAT for a few servers, only one device can talk at the same time to the Gateway. I have a /29 block of addresses from the ISP and would like to use them on my ASA. Please help with either setting up the ASA, or finding a way around the port restriction. Connecting the servers directly to the Gateway is also not an option and all of the servers must sit behind the ASA.

It appears that the thread I mentioned above is a similar issue.


Thanks!

 

[PScottC]

Is this a business class connection? How are the IP addresses assigned to you? (Static or Dynamic?)

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers

 

[vickers507]

This is Busniess Class U-Verse. The addresses are loaded into the gateway as an additional /29 of routed space, however you can't actually route the address space on an external device.

 

[PScottC]

Tell AT&T that you have your own firewall and they need to reconfigure the 2Wire device or send you a different front end device. They should not be restricting to 1 IP per MAC.

All firewalls do roughly the same thing (including routers that pose as firewalls)... 1 IP is assigned to the interface, then additional IPs are associated to the same interface through NAT policies. The ARP table of the upstream device would show the same MAC address for all downstream IPs.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers

 

[vickers507]

I have already tried, no such luck. Their answer was to switch back to 1.5 x 256 DSL, which worked just fine for the past 5 years. U-Verse is able to do 18X2. The provider won't change anything, so I have to find a solution or switch back to slow speeds.

Is their anyway to trick the gateway to think that each IP in the /29 block has a different MAC with a config on the ASA?

 

[PScottC]

If you can't get AT&T to budge on the issue and you can't replace/hack the 2Wire device, then I can think of only one option...

Get a second 5505 firewall. Configure the second firewall in Transparent mode in a VLAN that sits between the 2Wire device and your current firewall. This will form a true DMZ (a network between 2 firewalls). Place your external servers in this network and assign them IPs out of the public space you have been assigned. Your current firewall will provide NAT for your regular internet clients. This solution will fit within the ISPs requirements because there will be 1 IP per MAC.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers

 

[intelwizrd]

That is brilliant, don't know why I didn't think of that before. If I don't want to do any work to fix a problem for my customer I can just tell them "tough luck or go back to what you had" even though what you have now should be better and I get more money from you. They should be able to fix it, they just don't want to.

Are you under contract? Are there other Telco's in your area? Sometimes you can get the same or better service (and at a better rate) from a 3rd party Telco even though your current Telco owns the "last mile".

You may be able to use this issue as an out from your contract if they wont fix it for you but that depends on your contract.

If you have enough IPs for all of your internal hosts you might be able to configure your ASA as a Transparent Firewall. not sure if it will pass the source mac through to your gateway though (never used it that way). config example here:

http://www.cisco.com/en/US/products...s_configuration_example09186a008089f467.shtml

 

[PScottC]

As long as the content of the frame conforms to your ACLs, it will be permitted to pass unmolested. The source MAC and IP will be unchanged. This is the purpose of the transparent configuration. There is no routing or NAT involved, this is Layer 2 implementation of the ASA. It can still apply Layer 3 ACLs to permit/deny traffic.

PSC
[—] CCNP[sub][blue]x3[/blue][/sub] (Security/R&S/Wireless) [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --from "Hackers

 

[vickers507]

Looks like we will need to go back to the old setup, because the client is not going to spend another 1K+ for another firewall. AT&T refuses to do anything and says that "it is a limation of the gateway". Any other suggestions would be appreciated.