How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Verk
Enthusiast - Level 3

I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR.  I'm able to Ping the Actiontec external IP.  I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.

What do I need to configure on the Actiontec to make this work?

Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface.  At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA.  However, at home, I cannot go to the Internet while using the VPN client.

Thanks for any help.

Steve

Tags (3)
0 Likes
1 Solution

Correct answers
Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Verk
Enthusiast - Level 3

Thanks for your reply.

I had the port forwarding rule configured with the protocols IKE and IPSec.  This didn't allow me to establish a VPN connection.

I just added the rule

Network address: 192.168.2.3:500

Protocols: UDP Any -> 500

WAN: All broadband devices

This allowed me to establish a VPN connection, but I cannot contact the shared drive behind the Cisco ASA.  The drive may be powered off.  I'll check when I get home.

Would I have to add another rule to allow communications such as talking with the shared drive?  Or, does everything over the VPN use UDP port no. 500?

Thanks again.

View solution in original post

0 Likes
Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Hubrisnxs
Legend

well how did you configure your portforwarding?

I know a popular mistake is that when people configure the ports they specify a source, when it should be ANY,  and then your destination port is the only thing that should be defined.


@Verk wrote:

I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR.  I'm able to Ping the Actiontec external IP.  I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.

What do I need to configure on the Actiontec to make this work?

Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface.  At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA.  However, at home, I cannot go to the Internet while using the VPN client.

Thanks for any help.

Steve


Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Verk
Enthusiast - Level 3

Thanks for your reply.

I had the port forwarding rule configured with the protocols IKE and IPSec.  This didn't allow me to establish a VPN connection.

I just added the rule

Network address: 192.168.2.3:500

Protocols: UDP Any -> 500

WAN: All broadband devices

This allowed me to establish a VPN connection, but I cannot contact the shared drive behind the Cisco ASA.  The drive may be powered off.  I'll check when I get home.

Would I have to add another rule to allow communications such as talking with the shared drive?  Or, does everything over the VPN use UDP port no. 500?

Thanks again.

0 Likes
Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Hubrisnxs
Legend

you shouldn't have to add that rule in the actiontec to my awareness, but check with the cisco and see if there are additional rules for your particular session that you need configured.   I Think you should be all set with the actiontec config's since it's now letting you form a tunnel

0 Likes
Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Verk
Enthusiast - Level 3

I tested tonight from home, and I was able to connect to the shared drive behind the ASA.

[shared drive] -- [Cisco ASA] -- [MI424WR] -- [NET]

                                                              |

                                                        [Laptop]

One difference is that laptop is on the same net as the Cisco's outside interface.  Whereas, when I'm at work, it's a different source network.  But, thanks to you, and I can establish VPN connectivity from work which is progress.

I also though about looking for logs on the Cisco ASA.  Maybe that'll tell me something.

I used Wireshark at home tonight, but nothing stood out in the packets.

0 Likes
Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Verk
Enthusiast - Level 3

Unfortunately, I'm still working on this.

After adding a port forwarding rule on the MI424WR to the Cisco ASA, specifically port no. 500, I was able to establish a VPN connection.  However, I still CANNOT ping devices behind the ASA or access a shared drive that I set up.  I am able to do this while at home (where traffic doesn't pass through the MI424WR WAN interface).

Perhaps I need a different/another port forwarding rule.  Or port triggering which I know nothing about.

To elminate the MI424WR from my troubleshooting, I'm considering making the MI424WR a bridge.

What's the recommended configuration procedure to make the MI424WR a bridge?  Also, how do I revert back to the router config?

Thanks, Steve

0 Likes
Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Hubrisnxs
Legend

http://www.dslreports.com/faq/verizonfios/3.0_Networking

those are the best sample config's and resources on how to set the FiOS network

Bridging is possible but difficult.  That link will give you great info on it.

Are you a FiOS customer that has phone/internet/tv

or no tv?   or no phone?    You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.

Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue.  You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too.

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Hubrisnxs
Legend

if you configure it bridge, and you want to convert back,  you can do so by holding down the reset button in the back for 20 seconds,   that restores the actiontec/westell to factory specifications.

Here is an article I found on bridging that was met with mixed results.  

http://www.dslreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge

according to actiontec it can't be bridged (true bridge) but a lot of users have found ways to create a bridge environment, that works for them.

Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
prisaz
Legend

@Hubrisnxs wrote:

if you configure it bridge, and you want to convert back,  you can do so by holding down the reset button in the back for 20 seconds,   that restores the actiontec/westell to factory specifications.

Here is an article I found on bridging that was met with mixed results.  

http://www.dslreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge

according to actiontec it can't be bridged (true bridge) but a lot of users have found ways to create a bridge environment, that works for them.


Bridge? One media type to another. Set the Actiontec to an address that does not conflict to any other address on your network. Throw the WAN port out the window. Use the LAN ports only. Wirless and MOCA to ethernet bridge. But you must have Ethernet enabled on your ONT to another router. MOCA WAN can not be bridged to the best of my knowledge. My exact setup.

Have Verizon turn on Ethernet from the ONT. You will be happier!

0 Likes
Re: How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
Verk
Enthusiast - Level 3

I'm able to talk to devices behind the Cisco ASA now.  I had to enable "nat-t" on the ASA and forward UDP 4500 too.

0 Likes