Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PPPoE & ACLs

Cisco PIX Firewall Version 6.3

I recently enabled PPPoE and now my ACLs no longer permit incoming traffic to my public hosts (Outgoing traffic is fine).

I tried disabling 'ip audit', changing my static statements from 'interface' to the IP address, I even tried 'permit ip any any' and traffic still can't get through. The ACLs still show 'hitcnt=0' even though I'm hammering it from proxify.com and ShieldsUp.

I get nothing from 'debug packet outside', but when I run a capture it shows a lot of incoming requests in hex. When I import it into Ethereal, it shows a whole lot of incoming traffic, so it doesn't appear to be filtered by my ISP or my CPE.

For troubleshooting purposes, the Public address to my web server is <A HREF="javascript:newWin('http://74.2.65.94/')">http://74.2.65.94/</A>

My PPPoE config:

ip address outside pppoe setroute

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname [MYPPPOEUSERNAME]

vpdn group pppoex ppp authentication pap

vpdn username [MYPPPOEUSERNAME] password *********

Attachments:

sh_run_080224.txt sanitized config

cap1.txt incoming hex dump

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: PPPoE & ACLs

Hi,

HI,

The access lists are not bound to the outside interface .

Hence u need to add

access-list PUBLICHOSTS permit tcp any interface outside eq www

access-group PUBLICHOSTS in interface outside

Raj

4 REPLIES
Community Member

Re: PPPoE & ACLs

Hi,

HI,

The access lists are not bound to the outside interface .

Hence u need to add

access-list PUBLICHOSTS permit tcp any interface outside eq www

access-group PUBLICHOSTS in interface outside

Raj

Community Member

Re: PPPoE & ACLs

rajbhatt- You ROCK!

How could I have forgotten to apply the ACL..?

I didn't need the other line;

access-list PUBLICHOSTS permit tcp any interface outside eq www

I think because I already have;

access-list PUBLICHOSTS permit tcp any host eq www

THANKS!!

Community Member

Re: PPPoE & ACLs

Hi,

Thanks

Plz apply the key word interface outside in access list as from pppoe u may get a different ip address each time u connnect

Raj

Community Member

Re: PPPoE & ACLs

Do you mean 'access-list PUBLICHOSTS permit tcp any interface outside eq www '?

I added it per your suggestion.

This is good for PPPoE?

146
Views
5
Helpful
4
Replies
CreatePlease to create content