ASA 5505 and PPPoE

Unanswered Question
Jul 9th, 2007

I have 5 statically assigned IP addresses from my ISP and I use a Netopia 3364 DSL modem for PPPoE authentication. This box is able to split out the public IPs to downstream firewalls, routers, etc, but when I connect my ASA 5505 to it and assign it one of the static IPs, I am unable to connect to the Internet. I am, however, able to see the web page for the Netopia and I am able to get the configuration to work with a Linksys router (in fact, 2 of them; each assigned a different public IP). I did not configure PPPoE on the ASA 5505 but simply assigned its outside interface to one of the public IPs, as I did with the Linksys. Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m-chilton Tue, 07/10/2007 - 06:16

I presume you set a default route using the setroute option, but this is not available if you use the "ip address [ip_address [mask]]" command. When I try to use the "ip address [ip_address [mask]] pppoe [setroute]" command, I get an error.

acomiskey Tue, 07/10/2007 - 06:20

But you're not using pppoe on the ASA right?

route outside

m-chilton Tue, 07/10/2007 - 07:14

Here's the running config output. I'm not sure if it's entirely correct. I got the next ip address from the Netpoia web page.

ASA Version 7.2(2)


hostname ciscoasa

domain-name default.domain.invalid

enable password xxx



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address


interface Vlan3

nameif dmz

security-level 50

ip address dhcp setroute


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5

switchport access vlan 3


interface Ethernet0/6


interface Ethernet0/7


passwd xxx

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup dmz

dns server-group DefaultDNS

name-server yyy.yyy.yya.1

name-server yyy.yyy.yyb..1

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

global (dmz) 1 netmask

nat (inside) 1

static (dmz,outside) netmask

access-group outside_access_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside


dhcpd address inside

dhcpd dns yyy.yyy.yya.1 yyy.yyy.yyb.1 interface inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context


: end

acomiskey Tue, 07/10/2007 - 07:18

Your default route would be to an ip address on the same subnet as your outside is most likely not correct. What is the address on the netopia?

m-chilton Tue, 07/10/2007 - 07:42

Okay, I changed it to, which is its assigned address and still no go.

m-chilton Thu, 07/12/2007 - 16:06

Well, I did a reset to factory defaults and configured NAT within the address range given to me by the ISP; after a few minutes, it worked, so I guess the problem was in address translation across the interfaces.


This Discussion