cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
364
Views
5
Helpful
5
Replies

PIX 501 with PPPoE and VPN 3005

Does anyone know if it is possible to have a remote PIX, on a DSL line, that is getting a DHCP address and using PPPoE, establish a VPN IPSEC connection to a VPN 3005 Concentrator.

Best Regards

Johan

5 Replies 5

gfullage
Cisco Employee
Cisco Employee

Sure. Follow: http://www.cisco.com/warp/public/471/vpn3k_iosdhcp.html

This details a router running DHCP, not a PIX, but the configuration on the 3000 is no different.

Thanks for the reply.

But after an attempt that ended up with crashing all the VPN tunnels, I'm forced to go to the bottom with

this matter.

Here is the situation.

I have a main site here in Sweden with the PIX 3005 VPN Concentrator.

I have three small office, also in Sweden with the PIX 501 connected to ADSL modems.

My ISP in Sweden does'nt support PPPoE. In order to get authenticated one user have to surf to the ISP's special website in order to

get your connection to the internet. I've managed to solve that issue with a special client software that do

the authentication process automatically. Further on I've configured the crypto maps in the PIX 501 and the Base Group

in the VPN 3005. Everything works fine for the offices in Sweden.

Finally I have a small office i Norway also with a PIX 501 connected to ADSL modem.

I´ve configured the PIX 501 in Norway using VPDN and PPPOE to initiate the Internet connection.

(The ISP in Norway supports PPPoE.) That part works fine and the users can connect to the internet.

Further on configured the appropriate crypto maps.

When we tried to establish the IPSEC tunnel, the VPN 3005 "crashed" and the routing process stopped working.

At that time, I tried to connect with the Cisco VPN client software, wich went fine.

But I could'nt access anything on the corporate LAN. Nothing answered to ping anymore.

My concern is about the PPPoE section. My understandig is that, once configured on the outside interface,

all traffic will be encapsulated with PPPoE/PPP headers. With this in mind I wonder how the VPN 3005 treats

the datapackets with this "supplemental header"

Thanks in advanced

Best regards

Johan

The PPPoE headers are stripped off by the other end of the PPPoE link at your ISP's router. The 3005 will see a standard TCP/IP packet. This is no different to when these users surf to any web site, these web servers don't see the PPPoE header either cause it's been stripped off way earlier. The PPPoE connection and header is onyl from the 501 to the ISP's next hop, so don't worry about it causing any problem. This header is added on AFTER the encryption is done, so no. it's not in theencrypted packet either.

As for why the 3005 "crashed", not sure. What crypto access-list do you have configured on the 501? Does it have an "any" in it, cause this may cause all traffic from the 3005 to be sent over this tunnel, giving the indication that it's not responding to any other traffic.

Other than that, does anything appear in the event log? Can you ping from the 3005 outbound?

Thanks again for most valuable information.

I will go to the main site and try again and check the loggs in the 3005.

I'll get back to you.

Kind regards

Johan

Hi again!

Problems solved now. A few minor adjustments did the trick.

The last issue was a missing route entry in a router we use for external routing, since the PIX at the main site cannot route on its external interface.

Nevertheless, thanks for enlighten me regarding the PPPoE.

Best regards

Johan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: