CyberWarrior7194
asked on
Do I have to port forward any ports when trying to use a Cisco ASA5505 behind a Verizon Fios Router?
Good Evening,
I have recently placed a Cisco ASA 5505 behind a Verizon FIOS router. Everyone has Internet and it all seems to be working fine. Inside IP is 192.168.10.1 /24 and Outside IP is 192.168.20.2/24. The Verizon FIOS router LAN side has 192.168.20.1/24 and the WAN side of the Verizon FIOS router has a STATIC IP xxx.xxx.xx.48. The problem is that if I am at a hotel or another location I am not able to use my Cisco VPN client to get to the inside network. Everything is setup correctly on the Cisco ASA side as I have done this many times for situations where the outside interface on the Cisco ASA has a real IP, but this time it is behind the Verizon FIOS router and the customer does not want to make that router a bridge. My question is do I have to do port forwarding on that Verizon router and If so what ports should I forward?
I have recently placed a Cisco ASA 5505 behind a Verizon FIOS router. Everyone has Internet and it all seems to be working fine. Inside IP is 192.168.10.1 /24 and Outside IP is 192.168.20.2/24. The Verizon FIOS router LAN side has 192.168.20.1/24 and the WAN side of the Verizon FIOS router has a STATIC IP xxx.xxx.xx.48. The problem is that if I am at a hotel or another location I am not able to use my Cisco VPN client to get to the inside network. Everything is setup correctly on the Cisco ASA side as I have done this many times for situations where the outside interface on the Cisco ASA has a real IP, but this time it is behind the Verizon FIOS router and the customer does not want to make that router a bridge. My question is do I have to do port forwarding on that Verizon router and If so what ports should I forward?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did verify that all ports are set up to be forwarded. BUT I got back to the office today and found that one ASA is denying users because of the 10 - host license limit and I had to pull that one out for now and go back to a netgear firewall till we get the ASA license upgraded to a 50 user/host version. The strange thing is that when the customer was using two netgear devices ( one behind a Verizon router and the other one behind a Comcast router) the site to site tunnel came up fine, so once the license issue is resolved I will try again. For today we are going to try and bring up a site to site VPN between one netgear and one cisco asa5505. So far in the packet capture of the ASA I see the following.
xx.xxx.xxx.xx.500 > 192.168.9.2.500 udp 68
192.168.9.2.500 > xx.xxx.xxx.xx.500 udp 256
We are going to check configs on both side and see where we are. Also here is some output from Cisco ASA5505 CLI.
Result of the command: "sho crypto ipsec sa"
There are no ipsec sas
Result of the command: "sho run crypto isakmp"
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
Result of the command: "sho run crypto ipsec"
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
Result of the command: "sho run crypto map"
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xx.xxx.xxx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic
SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
Result of the command: "sho crypto ipsec sa"
There are no ipsec sas
Result of the command: "sho crypto isakmp sa"
There are no isakmp sas
xx.xxx.xxx.xx.500 > 192.168.9.2.500 udp 68
192.168.9.2.500 > xx.xxx.xxx.xx.500 udp 256
We are going to check configs on both side and see where we are. Also here is some output from Cisco ASA5505 CLI.
Result of the command: "sho crypto ipsec sa"
There are no ipsec sas
Result of the command: "sho run crypto isakmp"
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
Result of the command: "sho run crypto ipsec"
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
Result of the command: "sho run crypto map"
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xx.xxx.xxx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic
SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
Result of the command: "sho crypto ipsec sa"
There are no ipsec sas
Result of the command: "sho crypto isakmp sa"
There are no isakmp sas
ASKER
One Problem was the Comcast modem not passing traffic on all those ports so once they were forwarded properly I could see traffic coming in now. The l2l tunnel comes up but drops between the netgear and Cisco ASA due to some type of SA problem. Will have to research that, but that is another story, so closing this out for now. Thanks for all your help.
ASKER
Thanks again.