Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Bellsouth PPPoE on 1710 and EzVPN ACL's

Hi all,

2 questions,

Q1) I have a 1710 deployed in BellSouth territory. It uses PPPoE to authenticate and we were given a "Persistent" IP (same IP give after each pap or chap authentication)

Bellsouth is telling me I need to add the %static to the username as in:

username: joe_schmoe%static (this way for persistent IP)

password: the_password

username: joe_schmoe@bellsouth.net (this way for random IP)

password: the_password

I want to know if anyone has succesfully done the 1st example above on a Cisco? We do it all day long on Alcatel and Westell equipment but the Cisco I have deployed is remote and I don't want to lose access if it does not work.

Q2) The 1710 is configured in EzVPN Network Extension Mode. Works well. Problem is access-lists don't seem to work correctly here. I need to allow ssh access from the Net and deny telnet. I can deny the telnet (see below) but I also want users on the LAN to be able to telnet into the unit. How would YOU enable this?

Here is what I have now:

line vty 0 4

password 7 123456789

logging synchronous

transport input ssh

Thanks,

Jerry

949-221-7208

2 REPLIES
Cisco Employee

Re: Bellsouth PPPoE on 1710 and EzVPN ACL's

1. Should work fine, the router will just whatever you specify as the username. We have to do a similar thig in Australia with the phone company there sending the @bigpond.net after the username, works fine on the routers.

2. You can't enable telnet for some users if you've set up the vty's to only accept SSH. You're better off allowing the VTY's to accept SSH and Telnet, then defining an access-list on the outside router interface that denies Telnet from the Net and then allows all other traffic. Then your LAN users can use SSH or Telnet from the inside, Net users can only use SSH, and all other traffic is allowed in also (assuming you want that, that is). Something like:

> int serial0

> description Connection to Internet

> ip address y.y.y.y 255.255.255.0

> ip access-group 101 in

> access-list 101 deny tcp any host y.y.y.y eq telnet

> access-list 101 permit ip any any

Your LAN users will telnet to the inside interface so that'll still work fine. You could specifically allow telnet from your LAN subnet to the outside interface if you like also.

Community Member

Re: Bellsouth PPPoE on 1710 and EzVPN ACL's

Ok,

I tried the "%static" and it failed - Now I am locked out and have to wait till morning till someone reboots the router. I should have used the "reboot in" command DAMN!

username: joe_schmoe%static (this way for persistent IP)

password: the_password

Anyone have an Idea why it wouldn't work?

Thanks,

Jerry

110
Views
0
Helpful
2
Replies
CreatePlease to create content