Placing a PIX 501 behind FIOS router for VPN's

Answered Question

I have a Verizon FIOS internet connection and one of their wireless broadband routers, and it's a completely basic setup...their router does DHCP and firewalling, and the connection has a dynamic address.  I'd like to put the PIX 501 behind the Verizon router as one of its clients, and have the PIX do VPN's to other PIX 501's at other locations, such that my entire network has access to the remote networks.


Can this be done, and if so, could anyone post some suggested configurations (how to address the inside and outside ports, static routes that might be needed somewhere, etc)?


Thanks for any help.

Correct Answer by mcarnahan about 6 years 9 months ago

When my FiOS was installed, I had already requested that it be installed on the Ethernet cable. Don't know that they have to do anything to allow you to switch over from Coax to Ethernet.


The easiest way to test it would be to find the media converter (follow the coax from your FiOS router back to the demarc and there should be a box there that has a Coax port, a few Phone jacks, and an Ethernet port). If you disconnect the Coax and plug a laptop into the Ethernet port, see if your laptop pulls a public IP address. If it does, then you just have to run an Ethernet cable to your PIX501 and you should be all set.


Just note that Verizon, depending on your area, does make DHCP assignments reserved. This means that you may have to call Verizon and have them release the previous DHCP-MAC address assignment. I had this happen just recently. They have to release the assignment and then your PIX will pull a new IP and they will reserve your new IP-MAC address assignment. They do this to speed up the connection time from a cold start on the router.


Basically they are doing MAC address filtering, but via a sticky ARP where they clear the entry and then the next device that connects it records its MAC address and then only that device is allowed to connect to that leg of the cable. So, there's a little work you may have to do, but the hardest part would be sitting on hold waiting for a tech, if you have to call in to Verizon.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
mcarnahan Mon, 08/09/2010 - 12:51
User Badges:

FiOS doesn't use PPPOE to get its IP Address assignment.

mcarnahan Mon, 08/09/2010 - 12:49
User Badges:

You will not be able to do this unless you set your PIX 501 to be in the DMZ of the FiOS router.  The only problem is that if your FiOS router has DHCP, then, if, Verizon every assigns you a new IP, you will have to update all the remote PIX/VPN Endpoints.  Additionally there may be issues with your PIX terminating VPN tunnels using an IP address that is not on one of its interfaces as you would have to use the external IP address of the FiOS router in the VPN tunnel setup.  I have never tried it, but I can see how that could be a problem.

I think I agree with you...unless the FIOS router is in bridge mode, passing the outside address onto the PIX, I don't see how a VPN could be established from the PIX.  And if the FIOS router were in bridge mode, then we wouldn't be able to use its built-in wireless function (unless we hung another wireless device off the PIX).


As for the dynamic IP coming from Verizon, the PIX would always initiate the VPN to another PIX with a static IP, so I don't think addressing would be an issue.


Thanks for the replies, and please post any other ideas that come to mind.

mcarnahan Tue, 08/10/2010 - 11:11
User Badges:

Yes, if the FiOS router is in bridge mode, then your PIX would pull the DHCP address and it could work.  And yes you wouldn't be able to use the built-in wireless function while it is in bridge mode.


You mention that the PIX with the dynamic IP would always initiate the VPN, that would work, but you would have to set up the static PIXs to recieve VPNs from any IP source similar to a remote access VPN.  I'd highly recommend using certificate based VPN authentication if you do that as it will ensure the security of your network.


Now, I did have an idea of how you could do this, but it does depend on the type of FiOS router you have and how the FiOS is terminated on the FiOS router.  If your not using the COAX for the WAN connection, then you don't really need the FiOS router at all (unless you have FiOS TV, but my idea would still work if you have FiOS TV, just an added step).


So here's my idea....


Take the ethernet cable out of the WAN/Internet port on the FiOS router and put it into your PIX 501 outside interface.  Configure the PIX 501's outside interface to accept a dynamically assigned IP...make sure you setup your NAT.  Then take the FiOS router and connect it to your switch and/or another port on the PIX 501.  You will have to configure that port on the PIX 501.  Then on the FiOS router, configure  Home/Office Network (Bridged Connection) with DHCP relay pointed to your internal DHCP server. Make sure you turn off the firewall on the FiOS and include the WLAN in the Home/Office Network (Bridged Connection).  Now you can have your wireless and your VPN.


Alternatively you can just plug the FiOS router into the switch and the WAN port on the FiOS router and use it the same way you are now, but in this setup you will have issues if you are running a domain as DNS gets rewritten and NAT on the FiOS router will wreak havoc on your wireless users.  If your not running a domain, then you shouldn't have a problem.


The FiOS router is only needed in two scenarios...1) your WAN connection was extended to your FiOS router via COAX, or 2) you have FiOS TV.  Since most FiOS routers only have one (1) Coax interface these two scenarios are mutually exclusive.  If you have FiOS TV, then you will need to reconnect the COAX cable on the router so that your DVRs and set top boxes will still pull IP addresses and update content for the programing guide.


I have FiOS at my office and I took the FiOS router out of the network altogether and have it terminated on our ASA5520, so I know that this will work.  I also just did this very same thing for a customer using an ASA5505.


Let me know if you have any questions.

This is great information, thank you so much!


The FIOS router is only for internet, not TV, but has coax coming into it.  When your FIOS was installed, did they install it with the ethernet cable, or did you later ask them to change it from coax to ethernet?  Do you think they would honor a change request from coax to ethernet?  Could we just change it ourselves?

Correct Answer
mcarnahan Thu, 08/12/2010 - 09:19
User Badges:

When my FiOS was installed, I had already requested that it be installed on the Ethernet cable. Don't know that they have to do anything to allow you to switch over from Coax to Ethernet.


The easiest way to test it would be to find the media converter (follow the coax from your FiOS router back to the demarc and there should be a box there that has a Coax port, a few Phone jacks, and an Ethernet port). If you disconnect the Coax and plug a laptop into the Ethernet port, see if your laptop pulls a public IP address. If it does, then you just have to run an Ethernet cable to your PIX501 and you should be all set.


Just note that Verizon, depending on your area, does make DHCP assignments reserved. This means that you may have to call Verizon and have them release the previous DHCP-MAC address assignment. I had this happen just recently. They have to release the assignment and then your PIX will pull a new IP and they will reserve your new IP-MAC address assignment. They do this to speed up the connection time from a cold start on the router.


Basically they are doing MAC address filtering, but via a sticky ARP where they clear the entry and then the next device that connects it records its MAC address and then only that device is allowed to connect to that leg of the cable. So, there's a little work you may have to do, but the hardest part would be sitting on hold waiting for a tech, if you have to call in to Verizon.

Actions

This Discussion