Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco PIX 501 as Verizon FiOS router...

Is anyone attempting this sort of configuration at their home? Do any configuration examples exist? I have two specific questions. I've tried PAP, CHAP, and MSCHAP on the PIX, but I can't get PPP to negotiate with the Verizon network; debuging info doesn't give me anything more verbose than "config regected". Secondly, how do I specify PAT rules, when I don't know what the Outside IP will be at any one given moment? I know with normal routing statements on routers, you can specify an interface *name* versus an IP. Is this possible in some way on the PIX?

Since I only have one Outside IP address, I have to use PAT, in order to advertize services to the Internet - several different TCP ports on the outside IP address will map to different IPs on the Inside Interface.


Re: Cisco PIX 501 as Verizon FiOS router...


Using PPTP with PAT is possible. However, you need to enabled the PPTP fixup so that the PIX can support PPTP over PAT and allow incomming GRE packets. SO you have to add this command to the PIX.

fixup protocol PPTP

Please rate if I could help and let me know how it goes,


New Member

Re: Cisco PIX 501 as Verizon FiOS router...

The trick here, is that I was wondering how to allow packets into my network and/or make static statements with the IP on the Outside interface changing. The trick is, to refer to 'interface outside' instead of specifying an actual IP. I did this, and it seems to work just fine.


Re: Cisco PIX 501 as Verizon FiOS router...


I looked around the internet to figure out what verizon is using for FIOS authentication. You're going to have to play around with this to get it to work.

It turns out that verizon is using PPPoE (not sure if you knew that or not - in the future you should include some configuration snippets).

Use the following link to see how to do it

But the basics would be: (asumming inside network is - change as necessary - this is from the doc)

!----This portion sets up the outside interface to get an IP address via pppoe and do nat from inside to outside:

ip address outside pppoe setroute

global (outside) 1 interface

nat (inside) 1 0 0

!-----Create a vpdn group for PPOE use:

vpdn group pppoex request dialout pppoe

!--- Associate the username that the ISP assigns to the VPDN group.

vpdn group pppoex localname verizonfios

!--- Define authentication protocol.

vpdn group pppoex ppp authentication pap

!--- Create a username and password pair for the PPPoE

!--- connection (which your ISP provides).

vpdn username verizonfios password verizonfiospassword

Also, though this doc doesn't have it, if you end up trying to use mschap, I'd add:

vpdn group group_name ppp encryption mppe 40 | 128 | auto [required]

and set it to auto

You may have to change the authentication method - in the documents I found pap, chap, mschap, and mschapv2 were all checkmarked for fios use, so you'll have to play around with it. I hope it's not mschapv2, because as of pix 7.2, mschapv2 isn't supported.


Please rate if this helps

New Member

Re: Cisco PIX 501 as Verizon FiOS router...

I did fix this myself. Apparently the arbitrary name chosen for 'localname' --"vpdn group pppoex localname verizonfios"

Must match the username handed to the PPP auth. That's the only change I made, and it worked straight away.