ASA 5505 and PPPoE

Unanswered Question
Jul 9th, 2007

I have 5 statically assigned IP addresses from my ISP and I use a Netopia 3364 DSL modem for PPPoE authentication. This box is able to split out the public IPs to downstream firewalls, routers, etc, but when I connect my ASA 5505 to it and assign it one of the static IPs, I am unable to connect to the Internet. I am, however, able to see the web page for the Netopia and I am able to get the configuration to work with a Linksys router (in fact, 2 of them; each assigned a different public IP). I did not configure PPPoE on the ASA 5505 but simply assigned its outside interface to one of the public IPs, as I did with the Linksys. Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
m-chilton Tue, 07/10/2007 - 06:16

I presume you set a default route using the setroute option, but this is not available if you use the "ip address [ip_address [mask]]" command. When I try to use the "ip address [ip_address [mask]] pppoe [setroute]" command, I get an error.

acomiskey Tue, 07/10/2007 - 06:20

But you're not using pppoe on the ASA right?


route outside 0.0.0.0 0.0.0.0

m-chilton Tue, 07/10/2007 - 07:14

Here's the running config output. I'm not sure if it's entirely correct. I got the next ip address from the Netpoia web page.


ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.74 255.255.255.248

!

interface Vlan3

nameif dmz

security-level 50

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup dmz

dns server-group DefaultDNS

name-server yyy.yyy.yya.1

name-server yyy.yyy.yyb..1

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any xxx.xxx.xxx.72 255.255.255.248 eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 192.168.1.10-192.168.1.125 netmask 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

static (dmz,outside) xxx.xxx.xxx.72 192.168.1.100 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.0.2.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.129 inside

dhcpd dns yyy.yyy.yya.1 yyy.yyy.yyb.1 interface inside

dhcpd enable inside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:####

: end

acomiskey Tue, 07/10/2007 - 07:18

Your default route would be to an ip address on the same subnet as your outside interface...xxx.xxx.xxx.74 255.255.255.248.


192.0.2.100 is most likely not correct. What is the address on the netopia?


m-chilton Tue, 07/10/2007 - 07:42

Okay, I changed it to xxx.xxx.xxx.78, which is its assigned address and still no go.

m-chilton Thu, 07/12/2007 - 16:06

Well, I did a reset to factory defaults and configured NAT within the address range given to me by the ISP; after a few minutes, it worked, so I guess the problem was in address translation across the interfaces.

Actions

This Discussion