Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
5
Helpful
4
Replies

PPPoE & ACLs

Go to solution
r-lemaster
Level 1
Level 1

‎02-24-2008 09:48 PM - edited ‎03-11-2019 05:08 AM

Cisco PIX Firewall Version 6.3

I recently enabled PPPoE and now my ACLs no longer permit incoming traffic to my public hosts (Outgoing traffic is fine).

I tried disabling 'ip audit', changing my static statements from 'interface' to the IP address, I even tried 'permit ip any any' and traffic still can't get through. The ACLs still show 'hitcnt=0' even though I'm hammering it from proxify.com and ShieldsUp.

I get nothing from 'debug packet outside', but when I run a capture it shows a lot of incoming requests in hex. When I import it into Ethereal, it shows a whole lot of incoming traffic, so it doesn't appear to be filtered by my ISP or my CPE.

For troubleshooting purposes, the Public address to my web server is <A HREF="javascript:newWin('http://74.2.65.94/')">http://74.2.65.94/</A>

My PPPoE config:

ip address outside pppoe setroute

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname [MYPPPOEUSERNAME]

vpdn group pppoex ppp authentication pap

vpdn username [MYPPPOEUSERNAME] password *********

Attachments:

sh_run_080224.txt sanitized config

cap1.txt incoming hex dump

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rajbhatt
Level 3
Level 3

‎02-24-2008 11:32 PM

Hi,

HI,

The access lists are not bound to the outside interface .

Hence u need to add

access-list PUBLICHOSTS permit tcp any interface outside eq www

access-group PUBLICHOSTS in interface outside

Raj

View solution in original post

0 Helpful
4 Replies 4

Go to solution
rajbhatt
Level 3
Level 3

‎02-24-2008 11:32 PM

Hi,

HI,

The access lists are not bound to the outside interface .

Hence u need to add

access-list PUBLICHOSTS permit tcp any interface outside eq www

access-group PUBLICHOSTS in interface outside

Raj

0 Helpful

Go to solution
r-lemaster
Level 1
Level 1
In response to rajbhatt

‎02-25-2008 12:04 AM

rajbhatt- You ROCK!

How could I have forgotten to apply the ACL..?

I didn't need the other line;

access-list PUBLICHOSTS permit tcp any interface outside eq www

I think because I already have;

access-list PUBLICHOSTS permit tcp any host eq www

THANKS!!

0 Helpful

Go to solution
rajbhatt
Level 3
Level 3
In response to r-lemaster

‎02-25-2008 12:58 AM

Hi,

Thanks

Plz apply the key word interface outside in access list as from pppoe u may get a different ip address each time u connnect

Raj

Go to solution
r-lemaster
Level 1
Level 1
In response to rajbhatt

‎02-25-2008 08:39 AM

Do you mean 'access-list PUBLICHOSTS permit tcp any interface outside eq www '?

I added it per your suggestion.

This is good for PPPoE?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card