Broadband and internet

Sign In Register
Help
Reply
Topic Options
statto36
Member
statto36
Posts: 2
Registered: October
0

BT Router & Cisco ASA Firewall

Options

posted October

Hello,

 

Has anyone else managed to setup a Cisco PIX or ASA firewall with their BT broadband router using 5 static IP addresses ?

I have tried for weeks to get the inbound services to work without success.

Outbound web and email work fine but a site-to-site VPN won't connect and I can find no way to use my static addresses because I've been told by BT support that my router will pick up a dynamic address each time it connects.

 

I've setup other ISPs services before where you specify one of your 5 statics in the router config and the remaining four are free to use on your firewall.

I was told by BT support that this isn't possible. ???

 

My setup is this............  LAN - Cisco - BT Router - Internet.

 

Any help or advice warmly received.

Thanks.

S.

Message 1 of 6 (3,229 Views)
 
Reply
Guru
spank
Posts: 467
Registered: 05-03-2009
1

Re: BT Router & Cisco ASA Firewall

[ Edited ]
Options

posted October - last edited October

Hi there,

 

Is the Cisco ASA capable of initiating a PPPoE connection?

 

If so you can turn the 2-wire router into as modem by doing this.

 

Go to Settings> Broadband> Link Configuration and set the following settings…

VPI: 0 VCI: 38
ATM Encapsulation: Bridged LLC
ATM PVC Search: Disabled (unchecked)
Connection Type: Direct IP (DHCP or Static)

Save the settings

Go to Settings > Broadband > Link Configuration > Disable routing at the bottom then save settings again.

 

As for the firewall setup you need to make sure of the following

 

  • CHAP is the authentication protocol.
  • NAT is switched off
  • You can use NAT Pools if you need to use DHCP or want to include a private subnet.
  • Each PC that requires a static is manually assigned through TCP/IP

 

If your Cisco is not capable of initiating the connection then bridge mode will not work for you, there may be other solutions though.

 

Thanks

Message Edited by spank on 19-10-2009 11:39 AM
Message 2 of 6 (3,204 Views)
 
Reply
statto36
Member
statto36
Posts: 2
Registered: October
0

Re: BT Router & Cisco ASA Firewall

Options

posted October

Hi Friend,

 

I'm not sure I understand what you're explaining here.

 

My 5 public IPs will only exist on the Cisco ASA firewall which will then use static routes or access lists to send traffic from, for example, SMTP from 1.2.3.4 (WAN) to 192.168.0.1 (LAN).

 

This is common setups with all other ISPs I've worked with.

I don't want my static IP to NAT on the BT router to a PC, if this makes sense.

 

Can the BT router forward all traffic to my ASA to deal with ?

 

If my BT router gets a dynamic IP at ISP level, how does my VPN at the other end know where to go ?

 

Very confused and about to dump BT.

 

Cheers.

S.

Message 3 of 6 (3,191 Views)
 
Reply
Guru
spank
Posts: 467
Registered: 05-03-2009
0

Re: BT Router & Cisco ASA Firewall

Options

posted October

Hi there,

 

It can be confusing yes, especially if you have had experiences with other ISP's.

 

The problem with multiple statics used over an ATM circuit is that a connection has to be established first before your statics can be used.  This connection is initiated by the router and a peer address is assigned to the connecting device, this address will be dynamic.  So really the router itself will never be on static, and its not possible to assign one due to security.

 

The 2700 connects to a home gateway router with your profile on it and the 5 statics become usable.  Any device within your own network that has been assigned one of your statics will be allowed through, and the static will be public.  This all happens over the ATM connection already established.

 

The 2700 is capable or running two subnets within the private network, your statics and another private range.  This is the main reason BT use the 2700 as most people don't have access to that kind of router unless they buy one specific and they can run into hundreds of pounds. 

 

Once the 2700 is set up with the static IP's you can use a section called 'address allocation' to assign your PC's each of the statics.  It uses DHCP and MAC addresses to assign and remember the settings.

 

This can pose a problem for customers who want to use their own firewall; the majority of firewalls do not allow DHCP on the WAN side.

 

In your case you don't want the BT router to handle the addressing at all, you want to use it as a modem.  The instructions above outline how to do that, it's called bridge mode.

 

When you set up bridge mode the router no longer uses it's own settings, it waits for an attempt to connect over ethernet within the LAN.  This is initiated by your firewall using PPPoE.  If your firewall is not capable of a PPPoE connection then it will not work.

 

Another option is to change to a single static.  This will be assigned to the router on every connection, just like the peer address but will never change.  That means you can set up a DMZ within the firewall on the 2700 to forward all traffic.  DMZ only works over DHCP though, so again the Cisco would have to be able to be assigned an IP on the WAN interface via DHCP.

 

Hope this explains it a bit better.

 

Thanks

 

Message 4 of 6 (3,171 Views)
 
Reply
adamgraham
Member
adamgraham
Posts: 2
Registered: December
0

Re: BT Router & Cisco ASA Firewall

Options

posted December

I have a very similar if not the same problem.

 

My understanding is:

 

I've a static range from BT, mask is 255.255.255.248.

 

So I have 8 possible hosts - 1 for network addr - 1 for bcast - 1 for the gateway which is 1 lower than bcast addr.

 

Leaving me with 5 useable addresses.

 

I was hoping to assign this range to the outside interface of my FW (pix 525) but I'm assuming this isn't possible because of the address needed for the gateway?

 

From reading your previous replies I think I want to be in bridge mode but my connection type is currently PPPoA will I still be able to connect using PPPoE?

 

And will I be able to set my outside interface to handle the range from BT or will I need to change it?

 

In bridge mode will it seem as though my firewall is directly 'on the internet'?

 

Sorry If I haven't been clear, and thanks for any help!

Message 5 of 6 (1,550 Views)
 
Reply
Guru
spank
Posts: 467
Registered: 05-03-2009
0

Re: BT Router & Cisco ASA Firewall

Options

posted December

Hi there,

What's the reason you need the statics on the external interface?  A single static address may be what you need instead.  The statics should be assigned to the internal interface and if NAT is switched off will be available on the WAN side anyway.

The cisco should use PPPoE to connect to the 2-wire, and if the settings are followed for setting up the 2-wire in bridge then PPPoA will be disabled.

The IP on the WAN interface should just be the 2-wire's router address 192.168.1.254.

At least that's the theory.

Thanks

 

 

Message 6 of 6 (1,495 Views)
 
Reply
Bookmark and Share