Can you explain technically why it's not available with a static?
Yeah, bridge mode disables all routing capabilities of the gateway and essentially turns it into a regular retail cable modem. Comcast uses specific routing technologies to allow customer-assigned static IPs onto their network, and bridge mode disables these technologies.
If your gateway has been provisioned properly with your static IP, you should be able to configure any of your own devices with your static IP information and just plug it into the gateway's ethernet ports. The gateway will allow all traffic to/from static IP devices. Make sure that the gateway's firewall settings (available at http://10.1.10.1 ) are configured to "Allow all traffic through" - this should be a checkbox on one of the configuration pages.
The gateway is your ethernet handoff, in essence.
Hello skymeat and welcome,
Yes, train_wreck is right on about the setup and utilzation of your staticIP implementation. Just to add to this, if you are setting up your VPN then it is necessary that you use this guide to make absolutely sure that your VPN is structured correctly and all required ports are open on the static IP device at both locations.
Unlike train_wreck's recommendation about making sure all true static IP ports are open using the FW radio button, I submit to you that the more higher static IP device security means is to disable (uncheck) this feature, then use either FW or Advanced Port Forwarding "true static IP port management" facility to open ONLY the ports that your static IP device require.
This can easily be performed by first selecting the "block all ports with the following exceptions", then for example, if you are using RRAS based VPN server behind a firewall for PPTP ports 1723 and 47 must be open, per the guide I referenced. So therefore, within the the add true static IP port management you would click Add button and enter something like this:
PPTP1723Port 1723 1723 both Routable.Static.IP.Address and PPTP47Port 47 47 both Routable.Static.IP.Address
Hope this helps you out.
Seems like a weird setup on the provider side though.
Yeah, from my understanding the Comcast gateways use RIPv2 to announce to the cable head-end which gateway has which static IP block, so the customer only has to worry about configuring basic IP info. I imagine it's done this way for some security purposes, to prevent people from accidentally (or maliciously) announcing their own devices for IPs that aren't theirs.
Wow. Md5 Auth if I remember right.
Yeah it's an old protocol, but I believe Comcast also blocks outgoing RIP from the customer side of all modems, so I think it would be somewhat difficult for customers to get in the middle of. Keep in mind this is just my best estimate from things I've read, I don't have direct knowledge of exactly how Comcast operates its DOCSIS network.
Actually, train_wreck the static IP RIP2 protocol is used to authenticate the customer's static IP block between the CMTS and the CRAN server.
Ah ok, i could have sworn i saw RIP settings in a screenshot of the admin screens of one of the gateways..... thanks for the correction
Hey folks. want make sure i understand this correctly, b/c quite honselty this seems odd design-wise.
I have a singel static IP. My thoughts were that i put the Cisco GW in bridge mode, assign the static IP to the external interface of my own FW, and i'm done. This didnt seem to work. i as getting public IPs in the 75.x.x.x range assigned to any device i plugged into the Cisco GW.
Here's what i want: Internet ---<>Comcast Cisco GW<>--ASA5505<>--Rest of my network. Really want the Comcast GW to function as a cable modem, and would like my static IP and all my logice running on my ASA5505.
To get the above to work, am i hearing that i need to put the Cisco GW in route mode, but turn off all firewalling, etc?
But then i'd need the outside int of my ASA to be an RFC1918 address?
Not sure if this will help anyone else, but this is the sort of search I was doing before starting:
multiple (5) static IPs, QoS router behind Cisco modem and NOT in bridge mode.
For those that haven't figured it out, they have set the modem up to pass the public/static IPs through to the LAN side, so if you have a device that answers to your static IPs on the LAN side, the comcast modem will pass the traffic to it (out of the box, as configured during install).
That is, you assign the provided public IP/NETMASK/DNS to either a computer or a route in another router on the LAN side of the comcast modem and it will make it appear as if it is directly connected to the internet.
You can either filter the ports in the comcast modem, or disable the firewall and pass everything to those IPs.
In my case, I clamped down the comcast firewall as tight as possible, defaulting to block, passing only those ports I need for services I provide. This is redundant as the QoS router also blocks all but those ports served, but the sooner I stop bad traffic the better as far as I am concerned.
So, the comcast router passes my 5 static IPs to an internal router (Netgear proSafe) that is itself in NAT mode. It maps WAN->LAN by treating the Comcast (Cisco) LAN side as "the internet". So, I have NAT rules for each open port:
PORT, PUBLIC_STATIC_IP, INTERNAL_IP, QoS_RULE
This allows me to prioritize various types of traffic as needed (an throttle nuissance, but reuired traffic). It does make some bold assumptions about how the comcast modem is responding to the internal router stalling it, but so far it seems to behave itself (i.e. not lock up and do nothing on other ports while waiting for a throttled port).
Using this method you can also have DHCP clients that are NOT behind the QOS router (i.e. connected to the comcast LAN side in parallel with the internal router), but that just complciates things and potentially removes the benfit of QoS.
Hope that helps, it would have helped me understand what I was doing last week getting setup. It is odd that comcast has such a sizeable hunk of hardware without even crude QoS. Seems like a huge oversight.
thanks Cekim for sharing the info. This will definitely given me enough information to setup what i need...although I'm still pretty perplexed by Comcasts use of bridging
All I really wanted was a dumb cable modem and the abiliyt to put a static IP(the one they gave me) on the outside of my ASA.
thanks again for the help.