×

Switch Account

How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

SOLVED
Reply
Highlighted
Copper Contributor
Copper Contributor
Posts: 13
Registered: ‎12-10-2009

How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 1 of 12
(29,809 Views)

I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR.  I'm able to Ping the Actiontec external IP.  I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.

 

What do I need to configure on the Actiontec to make this work?

 

Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface.  At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA.  However, at home, I cannot go to the Internet while using the VPN client.

 

Thanks for any help.

 

Steve

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Copper Contributor
Copper Contributor
Posts: 13
Registered: ‎12-10-2009

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 3 of 12
(29,779 Views)

Thanks for your reply.

 

I had the port forwarding rule configured with the protocols IKE and IPSec.  This didn't allow me to establish a VPN connection.

 

I just added the rule

Network address: 192.168.2.3:500

Protocols: UDP Any -> 500

WAN: All broadband devices

 

This allowed me to establish a VPN connection, but I cannot contact the shared drive behind the Cisco ASA.  The drive may be powered off.  I'll check when I get home.

 

Would I have to add another rule to allow communications such as talking with the shared drive?  Or, does everything over the VPN use UDP port no. 500?

 

Thanks again.

View solution in original post

11 REPLIES 11
Highlighted
Platinum Contributor III
Platinum Contributor III
Posts: 5,881
Registered: ‎07-22-2009

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 2 of 12
(29,792 Views)

well how did you configure your portforwarding?

 

I know a popular mistake is that when people configure the ports they specify a source, when it should be ANY,  and then your destination port is the only thing that should be defined.

 


@Verk wrote:

I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR.  I'm able to Ping the Actiontec external IP.  I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.

 

What do I need to configure on the Actiontec to make this work?

 

Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface.  At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA.  However, at home, I cannot go to the Internet while using the VPN client.

 

Thanks for any help.

 

Steve


 

Highlighted
Copper Contributor
Copper Contributor
Posts: 13
Registered: ‎12-10-2009

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 3 of 12
(29,780 Views)

Thanks for your reply.

 

I had the port forwarding rule configured with the protocols IKE and IPSec.  This didn't allow me to establish a VPN connection.

 

I just added the rule

Network address: 192.168.2.3:500

Protocols: UDP Any -> 500

WAN: All broadband devices

 

This allowed me to establish a VPN connection, but I cannot contact the shared drive behind the Cisco ASA.  The drive may be powered off.  I'll check when I get home.

 

Would I have to add another rule to allow communications such as talking with the shared drive?  Or, does everything over the VPN use UDP port no. 500?

 

Thanks again.

View solution in original post

Highlighted
Platinum Contributor III
Platinum Contributor III
Posts: 5,881
Registered: ‎07-22-2009

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 4 of 12
(29,768 Views)

you shouldn't have to add that rule in the actiontec to my awareness, but check with the cisco and see if there are additional rules for your particular session that you need configured.   I Think you should be all set with the actiontec config's since it's now letting you form a tunnel

Highlighted
Copper Contributor
Copper Contributor
Posts: 13
Registered: ‎12-10-2009

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 5 of 12
(29,748 Views)

I tested tonight from home, and I was able to connect to the shared drive behind the ASA.

 

[shared drive] -- [Cisco ASA] -- [MI424WR] -- [NET]

                                                              |

                                                        [Laptop]

 

One difference is that laptop is on the same net as the Cisco's outside interface.  Whereas, when I'm at work, it's a different source network.  But, thanks to you, and I can establish VPN connectivity from work which is progress.

 

I also though about looking for logs on the Cisco ASA.  Maybe that'll tell me something.

 

I used Wireshark at home tonight, but nothing stood out in the packets.

Highlighted
Copper Contributor
Copper Contributor
Posts: 13
Registered: ‎12-10-2009

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 6 of 12
(29,603 Views)

Unfortunately, I'm still working on this.

 

After adding a port forwarding rule on the MI424WR to the Cisco ASA, specifically port no. 500, I was able to establish a VPN connection.  However, I still CANNOT ping devices behind the ASA or access a shared drive that I set up.  I am able to do this while at home (where traffic doesn't pass through the MI424WR WAN interface).

 

Perhaps I need a different/another port forwarding rule.  Or port triggering which I know nothing about.

 

To elminate the MI424WR from my troubleshooting, I'm considering making the MI424WR a bridge.

 

What's the recommended configuration procedure to make the MI424WR a bridge?  Also, how do I revert back to the router config?

 

Thanks, Steve

Highlighted
Platinum Contributor III
Platinum Contributor III
Posts: 5,881
Registered: ‎07-22-2009

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 7 of 12
(29,592 Views)

http://www.dslreports.com/faq/verizonfios/3.0_Networking

 

those are the best sample config's and resources on how to set the FiOS network

 

 

Bridging is possible but difficult.  That link will give you great info on it.

 

Are you a FiOS customer that has phone/internet/tv

 

or no tv?   or no phone?    You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.

 

 

Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue.  You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too.

 

 

Highlighted
Platinum Contributor III
Platinum Contributor III
Posts: 5,881
Registered: ‎07-22-2009

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 8 of 12
(29,590 Views)

if you configure it bridge, and you want to convert back,  you can do so by holding down the reset button in the back for 20 seconds,   that restores the actiontec/westell to factory specifications.

 

 

Here is an article I found on bridging that was met with mixed results.  

 

 

http://www.dslreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge

 

 

according to actiontec it can't be bridged (true bridge) but a lot of users have found ways to create a bridge environment, that works for them.

 

 

Highlighted
Platinum Contributor III
Platinum Contributor III
Posts: 6,819
Registered: ‎08-23-2008

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 9 of 12
(29,586 Views)

 


@Hubrisnxs wrote:

if you configure it bridge, and you want to convert back,  you can do so by holding down the reset button in the back for 20 seconds,   that restores the actiontec/westell to factory specifications.

 

 

Here is an article I found on bridging that was met with mixed results.  

 

 

http://www.dslreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge

 

 

according to actiontec it can't be bridged (true bridge) but a lot of users have found ways to create a bridge environment, that works for them.

 

 


 

Bridge? One media type to another. Set the Actiontec to an address that does not conflict to any other address on your network. Throw the WAN port out the window. Use the LAN ports only. Wirless and MOCA to ethernet bridge. But you must have Ethernet enabled on your ONT to another router. MOCA WAN can not be bridged to the best of my knowledge. My exact setup.

 

 

Have Verizon turn on Ethernet from the ONT. You will be happier!

Highlighted
Copper Contributor
Copper Contributor
Posts: 13
Registered: ‎12-10-2009

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

Message 10 of 12
(28,080 Views)

I'm able to talk to devices behind the Cisco ASA now.  I had to enable "nat-t" on the ASA and forward UDP 4500 too.

How-To Videos
 
The following videos were produced by users like you!
   
Videos are subject to the Verizon Fios Community Terms of Service and User Guidelines and contains content that is not created by Verizon.
Covid19


Browse Categories
Categories:
Posts

Verizon Troubleshooters
Unable to find your answer here? Try searching Verizon Troubleshooters for more options.