We’ll all been there, we want to install an ASA into our home with RESIDENTIAL internet. But Verizon gave you that annoying ActionTec device. What to do? In the perfect world one can simply order business internet and get a RJ-45 drop in your home but most of us have regular residential accounts.
First, we need to understand the pieces of the Verizon setup. Here’s the setup I’ve seen…
1. ActionTec Router
2. ONT device (inside)
So where to start! Off Verizon site theres is this diagram…
OK this helps us a bit but this is the outside ONT device only. The Inside ONT device works pretty much the same way but instead of the fiber run stopping outside your house, the fiber comes into your home and terminates at the little black box.
This part is really essential to know. As you can see from the diagram, there is literally a RJ-45 jack inside of the ONT outside box. If you want an RJ-45 drop, you’ll need to run on your own a Ethernet line between the outside ONT box and your ASA. This may or may not be feasible.
If you have the newer smaller black ONT boxes, this makes the process much easier. Instead of running a cable, off the ONT box is already a RJ-45 port. However, unless you ask, this port remains “admin down” and Verizon forces you to use their ActionTec to get internet.
The catch here is that the ActionTec supplies the TV Channel info off your Verizon TV box. If you cut that out of the equation, you’ll loose channel info. Personally I dont watch TV so I dont care. But I know alot of people out there do, so where is the happy middle ground?
Above is a rough ssketch of what the final product will look like. We’ll need to connect the RJ45 port off the ONT device towards out outside interface on our ASA. Next, to keep the TV channel info, we still need the ONT’s coax cable going to the ActionTec, and from the ActionTec go towards the TV Box. We also need another ethernet cable from the ActionTec towards the Firewall for wireless (if desired). In my case, I wanted to use the ActionTec’s wireless since if its there, why not use it?
Once you got the cabling, we need to now go into the ActionTec and configure it so that
1. I can still use ActionTec’s wireless
2. Lets call the wireless network 192.168.20/24 and my inside interface is 192.168.10.0/24. Unfortunately from what I saw the ActionTec WANTS to NAT. So in this case, we need to do a Double NAT technique to say…
192.168.20/24 NAT this traffic to 192.168.10.0/24. Access your ActionTec and make the changes in there (i dont have screenshots for this unfortunately but its pretty GUI straight forward).
Great, with that part done, we can keep the wireless and TV channel info.
The hardest part now is to call Verizon Support and convince them to turn on your RJ45 port. It sometimes depends on the tech you get, keep calling until they turn it on for you. Also remember that once they do turn it on, you need them to clear out ARP and renew DHCP to give you a new IP address.
On your ASA side, configure the following. I’m using Ethernet0/0 as my outside port. This example below is for a ASA 5505.
ip address dhcp setroute
switchport access vlan 2
BTW thanks to a fellow NYC Networker for showing me this setup! You know who you are if your reading this :)