I recently placed a Cisco ASA firewall on the outside interface facing Verizon with my AT sitting on the inside. I am able to ping the my firewall from the actiontec router as well as the internet (184.108.40.206). The problem is after having made this change, I can no longer get the guide on my STB's nor Video On Demand. I've talked to Verizon numerous times to which they all say this is to advanced for them and to just place my Verizon AT on the outside and that's it, however, this is not the setup I want as I am much more advanced and prefer to use my Cisco ASA. I've worked with Cisco TAC support to get the perfect config for my VPN Tunnel to work to the outside interface of my ASA and routing multiple different networks on the inside. I even have a Linksys WRT310N wireless router sitting behind my ASA and I can get any wireless device to talk through it and out to the internet through the Cisco ASA, but the darn AT won't pull guide or VOD service even though I can ping the internet from the AT router.
I really need some assistance from an advanced user that might be using a similar design. Do I need to bridge the AT and if so, what is the exact configuration on the AT to do that and will that allow my STB's to pull the guide and VOD since the AT can already see the internet from the diagnostic tools????
I could really use some help as I don't want to change up my configuration and take my newly purchased $1,250 Cisco ASA firewall so I could learn it.
I have 2 Port Forwarding Rules on my Actiontec that were created by Verizon:
TCP Port 4567
UDP Port 63145 to my DVR
Perhaps if you pass these 2 ports thru to the Actiontec the VOD and Guide Data may work.
If not can you place the Actiontec in some type of DMZ to see if it will grab the Guide and VOD ?
This may be a shot in the dark, but are you running WAN on the AT to LAN on your Cisco? I have run this configuration through various Linux router boxes, and as long as the STB can see the internet you should be fine. No ports forwarded to anything, and everything secured. The STBs on MOCA look at the default gateway assigned by the AT, and that would be what ever the AT routers IP is. So your STBs would be looking at your AT and not the Cisco that sits on the outside. If your run your AT without DHCP and get all IP from your Cisco, you would need to issue IPs to the STBs based on MAC addresses and assign them in the say 192.168.1.100-107 range. Of course your network can be what ever, but IPs should be in the 100-107 range. You can go higher for the host address but MOCA only supports 7 STBs from what I recall. I have also done this with the AT set with DHCP OFF, and IPs assigned through my DHCP server, but you would need your AT running LAN to LAN with your Cisco. The MOCA and LAN on the Actiontech is bridged by default. Regardless you will not be able to use any remote features to access the STBs or DVRs through Verizon Central if you configure things this way. As you have found Verizon can not, and does not support custom router configurations. I am sure they could, but would be spending all their time trying to support everything under the sun.
Binaryops, let us know how your making out. The actiontec router has to be in the loop. I know this may sound silly but make sure you still have the coax connection connected from the Actiontec into the loop where your STBs are connected. Make sure the LAN COAX led on the Actiontec is green.Another thing to try is unplug the power from all STB's. While all boxes are unplugged do a hard reset on the Actiontec once it synchs back up then go ahead & plug the power back into the STB's. Make sure the STB's are getting a local ip of 192.168.1.10x. Let us know. Brett
I found this set up paper quite usefull in setting up my dual subnetted network with the verizon router.
There might be something in there to help you out.
I just recently got the triple play package from verizon with fios too. And of course the Actiontec is total crap. The very first night it rebooted over and over again. What good is an internet connection you can't use right... Anyways, I have a cisco 831 that i use for a VPN to work, and so, I decided to put that up front.
Anyways, had the same problem. First I setup my router to bridge the connetion from the Actiontec to my router. So it goes Broadband Moca -> Actiontec LAN -(eth cable)-> Cisco WAN port. This worked great, except now my vod didn't work. So then I found this article....
It was genius, add a second bridge from the Cisco LAN -(eth cable)-> Actiontec WAN -> local Moca. And then put DHCP relay on the bridge. Everything worked again, hooray. then I added an access list, and there went my vod again.
So then I spent about two hours turning ports on and off and such, finally I figured it out. You'll need to allow inbound established tcp connections that internal hosts create. This will get back your guide and allow the vod menu to work again. then you have to allow inbound connections on udp port 21310. I applied it and lo and behold vod is back. Now my only problem is that the 831 only has a 10 Mb/s ethernet WAN, so I can't get HD VOD but ah well. I'll upgrade one of these days to an 851 or 871.
Here's what the access lists should look like in IOS:
permit tcp any host (your external IP address) established
permit udp any host (your external IP address) eq 21310
probably is going to be a little bit different since you have an ASA but I think you get the idea.