Do I have to port forward any ports when trying to use a Cisco ASA5505 behind a Verizon Fios Router?

CyberWarrior7194
CyberWarrior7194 used Ask the Experts™
on
Good Evening,

     I have recently placed a Cisco ASA 5505 behind a Verizon FIOS router. Everyone has Internet and it all seems to be working fine. Inside IP is 192.168.10.1 /24 and Outside IP is 192.168.20.2/24. The Verizon FIOS router LAN side has 192.168.20.1/24 and the WAN side of the Verizon FIOS router has a STATIC IP xxx.xxx.xx.48. The problem is that if I am at a hotel or another location I am not able to use my Cisco VPN client to get to the inside network. Everything is setup correctly on the Cisco ASA side as I have done this many times for situations where the outside interface on the Cisco ASA has a real IP, but this time it is behind the Verizon FIOS router and the customer does not want to make that router a bridge. My question is do I have to do port forwarding on that Verizon router and If so what ports should I forward?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017
Commented:
Yes, UDP port 500 for ipsec and 4500 Nat-traversal.
The issue is if the LAN on the remote is on the same segment as you have.
Ernie BeekSenior infrastructure engineer
Top Expert 2012
Commented:
Also think about protocol 50 and 51 (ESP and AH), don't know if the FIOS passes that through automatically. Remember, these are protocols and not ports (just like UDP and TCP are protocols, 6 and 17 to be exact).

Author

Commented:
Thanks for the suggestions, I will back in the office early Monday morning and I will give them a try and respond back here.

Thanks again.

Author

Commented:
I did verify that all ports are set up to be forwarded. BUT I got back to the office today and found that one ASA is denying users because of the 10 - host license limit and I had to pull that one out for now and go back to a netgear firewall till we get the ASA license upgraded to a 50 user/host version. The strange thing is that when the customer was using two netgear devices ( one behind a Verizon router and the other one behind a Comcast router) the site to site tunnel came up fine, so once the license issue is resolved I will try again. For today we are going to try and bring up a site to site VPN between one netgear and one cisco asa5505. So far in the packet capture of the ASA I see the following.
xx.xxx.xxx.xx.500 > 192.168.9.2.500 udp 68
192.168.9.2.500 > xx.xxx.xxx.xx.500 udp 256
We are going to check configs on both side and see where we are.  Also here is some output from Cisco ASA5505 CLI.
Result of the command: "sho crypto ipsec sa"

There are no ipsec sas



Result of the command: "sho run crypto isakmp"

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400



Result of the command: "sho run crypto ipsec"

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000



Result of the command: "sho run crypto map"

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xx.xxx.xxx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic

SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside



Result of the command: "sho crypto ipsec sa"

There are no ipsec sas



Result of the command: "sho crypto isakmp sa"

There are no isakmp sas

Author

Commented:
One Problem was the Comcast modem not passing traffic on all those ports so once they were forwarded properly I could see traffic coming in now. The l2l tunnel comes up but drops between the netgear and Cisco ASA due to some type of SA problem. Will have to research that, but that is another story, so closing this out for now. Thanks for all your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial