03-13-2013 05:50 AM - edited 03-11-2019 06:13 PM
Hello,
Just moved ISP's today, tested on a netgear router and all good..........now I want to put my cisco firewall back into action, I have a problem......
Netgeat DG834 in modem mode > Cisco PIX 515
I've set the outside port as:
Use PPPoE > entered dsl username\password > PPP > IP Address and Route Settings are set too "Obtain IP Address using PPPoE" and checked "Obtain default route using PPPoE"
I've changed dns servers to isp but the log on the firewall is coming back as:
PPPoE:PPP link down: peer terminated
PPPoE:PPP Link down
Note, Public static ip is assigned via DHCP (reserved)
Anyone have any ideas?
03-13-2013 03:28 PM
Confused.
Using PPPoE or DHCP?
Have the modem working on bridge mode.
03-13-2013 03:45 PM
My static is assigned by DHCP but reserved, tonight i managed to put the netgear DG834 into modem mode and connect it up to a netgear firewall and it all worked fine, my confirm is below:
Result of the command: "show conf"
: Saved
: Written by enable_15 at 16:38:19.268 GMT/BST Wed Mar 13 2013
!
PIX Version 8.0(4)
!
hostname bmi-515-fw-01
domain-name buildmeit.internal
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXX encrypted
names
name 10.52.10.1 XXXXXX description Proxy Server
name 10.52.10.2 XXXXXX
name 10.52.10.5 XXXXXX
name 10.52.10.15 XXXXXX description Mail Server
name 10.52.10.20 XXXXXX
!
interface Ethernet0
nameif outside
security-level 0
pppoe client vpdn group PLUSNET
ip address pppoe
!
interface Ethernet1
nameif mgmt
security-level 100
ip address 192.168.1.254 255.255.255.0
management-only
!
interface Ethernet2
nameif inside
security-level 100
ip address 10.52.100.123 255.255.255.0
!
banner exec XXXX PIX Firewall
banner login XXXX PIX Firewall
banner motd XXXX PIX Firewall
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
domain-name buildmeit.internal
dns server-group defaultdns
name-server 212.159.6.10
name-server 212.159.6.9
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group service vpn tcp
port-object eq pptp
object-group service WEB tcp
port-object eq www
port-object eq https
access-list outside_in extended permit tcp any interface outside eq smtp
access-list outside_in extended permit tcp any interface outside eq https
access-list outside_in extended permit ip 192.168.69.0 255.255.255.0 any
access-list LOCAL standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list XXXX2-VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging from-address
logging recipient-address level errors
logging recipient-address level errors
mtu outside 1500
mtu mgmt 1500
mtu inside 1500
ip local pool Pool 192.168.1.120-192.168.1.125 mask 255.255.255.0
ip local pool BMI2VPN 192.168.69.1-192.168.69.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-61551.bin
asdm location BMI-FILE1 255.255.255.255 mgmt
asdm location BMI-ADC1 255.255.255.255 mgmt
asdm location BMI-ADC2 255.255.255.255 mgmt
asdm location BMI-MAIL1 255.255.255.255 mgmt
asdm location BMI-MGMT2 255.255.255.255 mgmt
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (mgmt) 0 access-list inside_nat0_outbound
nat (mgmt) 101 0.0.0.0 0.0.0.0
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp BMI-MAIL1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https BMI-MAIL1 https netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_access_in in interface mgmt
route outside 0.0.0.0 0.0.0.0 195.166.128.192 1
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
route mgmt 192.168.0.0 255.255.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface mgmt
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PLUSNET request dialout pppoe
vpdn group PLUSNET localname itian@plusdsl.net
vpdn group PLUSNET ppp authentication pap
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname itian@plusdsl.net
vpdn group pppoex ppp authentication chap
vpdn username XXXXXXXXXXXXX@XXXXXXXXX password XXXXXXXXXX store-local
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.52.10.3 source inside prefer
ntp server 10.52.10.4 source inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 192.168.1.10 192.168.1.12
dns-server value 192.168.1.10 192.168.1.12
vpn-tunnel-protocol l2tp-ipsec
default-domain value buildmeit.internal
group-policy BMI-VPN internal
group-policy BMI-VPN attributes
wins-server value 192.168.1.10
dns-server value 192.168.1.10
vpn-tunnel-protocol IPSec
default-domain value buildmeit.internal
group-policy BMI2-VPN internal
group-policy BMI2-VPN attributes
wins-server value 192.168.1.12 192.168.1.10
dns-server value 192.168.1.10 192.168.1.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BMI2-VPN_splitTunnelAcl
default-domain value buildmeit.internal
username ian.taylor password ROTdnj94LSs86qI/ encrypted privilege 15
username ian.taylor attributes
vpn-group-policy BMI-VPN
username andrew.guthrie password SSSSSSSSSSSSS encrypted privilege 15
username andrew.guthrie attributes
vpn-group-policy BMI-VPN
tunnel-group DefaultRAGroup general-attributes
address-pool Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group BMI-VPN type remote-access
tunnel-group BMI-VPN general-attributes
default-group-policy BMI-VPN
dhcp-server 192.168.1.10
tunnel-group BMI-VPN ipsec-attributes
pre-shared-key *
tunnel-group BMI2-VPN type remote-access
tunnel-group BMI2-VPN general-attributes
address-pool BMI2VPN
default-group-policy BMI2-VPN
tunnel-group BMI2-VPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 192.168.1.3
prompt hostname context
Cryptochecksum:7115f4e0431719f3aa0e6cb85ec7a152
I think my firewall needs a rebuild at some point.
03-13-2013 09:05 PM
Can you provide the output of: "sho vpdn pppinterface" and " sho vpdn session"?
Have you tried using your ASA and the modem working in bridge mode?
03-14-2013 03:10 AM
Will send over tonight
03-14-2013 04:10 PM
Hello,
I tried your suggestion, see below:
I already tried the netgear in bridge mode\modem mode
Some other screenshots you may find useful:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: