Unanswered Question
Jan 29th, 2008

I'm having trouble with one of my VPN sites when I attempt to use a vpn tunnel utilizing my dsl connection instead of my frame circuit. I wasn't able to do pppoe off of the remote PIX, so my ISP told me to try using one of my assigned IP addresses on the inside of my dsl router's dhcp pool to assign to the interface of my pix. The outside WAN IP comes up assigned by the DHCP with an internet address (which is completely different than my IP block), but with a laptop having a block IP, I function just fine [I was not able to test an IPSEC client while connected this way]. Natting is turned off on the dsl router (it's a Netopia model 3347-2 firmware version 7.6.1r6) and my connection shows up as the assigned block address, so I believe that the ISP is routing the different IP address properly. When I replace the laptop with the PIX, my vpn tunnel only appears to make it past Phase 1, and I get a phase 2 error. I don't think I have a configuration issue on either PIX, so that leads me to believe the dsl router is doing something strange with the connection or it is the ISP.

Pix models are 515e at version 6.3(5), I tried nat-t, I restarted my isakmp and crypto map. Below is the debugging errors I got while attempting to connect, plus some of the censored configuration. I am attaching debug and configs.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rjorgensen Thu, 02/21/2008 - 05:35

You must put the DSL modem in bridging mode and turn off DHCP on the inside interface of the modem. You need to request a static IP from the ISP, that way you can configure the VPN concentrator at the main office to only allow connection from that IP. Next on your PIX/ASA you need to configure the PPPOE username and password. Do not set up any IP on the outside interface of the PIX/ASA. You should receive the PPPOE static IP once this in configured. You can also set up DHCP on the inside interface of the PIX/ASA for LAN connectivity with any IP addresses, they do not need to be assigned from the ISP. Tunnel all traffic over the VPN connection.


This Discussion