07-03-2008 02:17 AM
Hi
I am having trouble setting up a ASA 5510 to use PPPoE. The ASA is connected to my D-Link ADSL Modem which is setup in bridged mode. My config is as below.
Am I missing something or can somebody tell me how to troubleshoot? The command show ip address outside pppoe
gives
PPPoE session has not been established yet.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxx
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group tiscali
ip address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.9.1.1 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
!
passwd xxx
boot system disk0:/asa723-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip 10.9.0.0 255.255.0.0 10.10.0
.0 255.255.0.0
access-list outside_cryptomap_20 extended permit ip 10.9.0.0 255.255.0.0 10.10.0
.0 255.255.0.0
pager lines 24
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer *.*.*.*
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 3600
crypto map outside_map 20 set security-association lifetime kilobytes 100000
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group tiscali request dialout pppoe
vpdn group tiscali localname *****
vpdn group tiscali ppp authentication chap
vpdn username ***** password ********* store-local
dhcpd lease 691200
!
dhcpd address 10.9.1.2-10.9.1.200 inside
dhcpd enable inside
!
dhcpd address 192.168.10.2-192.168.10.10 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:xxx
: end
07-03-2008 04:10 AM
Check these two links
Config revision with debug troubleshooting
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/pppoe.html
Mid way down debug commands for PPPoE
When you go over the config and verify your config is fine I would suggest to debug the PPPoE connection and post output results to assist.
to set up debug and see its output from telnet session
asa#terminal monitor
in config mode
asa(config)#logging monitor 7
then you could do one at a time to capture output
debug ppp negotiation
debug pppoe packet
debug pppoe error
debug pppoe event
to disable debug
asa#no debugg all
Rgds
-Jorge
07-03-2008 06:59 AM
Thanks very much Jorge
error I am getting is;
PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:001f.9e98.0748 Type:0x8863=PPPoE-
Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000003
PPPoE: padi timer expired
I think this is a problem with my ISP using pppoa and not pppoe?
07-03-2008 08:28 AM
Just a bit of background I thought may help...
We used to have a PIX 501 connected to the same ADSL line, with the outside interface set to pickup via DHCP from the ADSL modem, which passed throught the public ip to the PIX. This all worked fine. The same setup on the ASA 5510 doesn't work. I have tried setting the ADSL to bridged mode and setting the PIX outside interface to PPPoE, which is what the config on the original post is. The third option is setting the ADSL to bridged and assigning a static ip to the ASA outside interface - what NAT and Routes would I need to setup to acheive this?
Many Thanks
Colin
07-03-2008 11:12 AM
Colin thanks for updating sorry for late reply, if you have just swaped the firewall from 501 to asa5510 and nothing was changed on the ISP side I would not think the isp had changed their provisioning at their end, however, if you issue debug pppoe events this will indicate sending PADI discovery frames to isp but no response I would then contact ISP to rule out any issues on settings.
If you do go with public static addressing on the outside interface your config have the necessary nat statements for NATing, ie global (outside ) 1 interface , and nat (inside ) 1 0.0, you will need default route route outside 0.0.0.0 0.0.0.0
Rgds
-Jorge
07-04-2008 04:51 AM
I have tried all setups but cannot get the ASA to work at all over my adsl line!
Both configs are posted below - is anybody aware of any differences between PIX and ASA which would stop this working
PIX - I realise I dont have the VPN Tunnel setup on the ASA as I can't even get internet access through it
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password password encrypted
passwd xxx
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.0.0 ISA2004
access-list inside_outbound_nat0_acl permit ip 10.9.0.0 255.255.0.0 ISA2004 255.255.0.0
access-list outside_cryptomap_20 permit ip 10.9.0.0 255.255.0.0 ISA2004 255.255.0.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.9.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location ISA2004 255.255.0.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.9.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 8.8.8.8
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 100000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 8.8.8.8 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.9.1.3-10.9.1.33 inside
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxx
: end
ASA DHCP on next post
Many Thanks
Colin
07-04-2008 04:52 AM
ASA Config
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxx
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.9.1.1 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
ip address 192.168.10.1 255.255.255.0
!
passwd password encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.9.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 10.9.1.2-10.9.1.20 inside
dhcpd enable inside
!
!
!
prompt hostname context
Cryptochecksum:xxx
: end
Many Thanks
Colin
07-07-2008 06:47 AM
Hi
When i switched on debugging I am getting the following error constantly...any ideas why it is blocking traffic from my client to the internal interface of the ASA? I am assigned an ip address to the client from the ASA ok...
%ASA-7-609001: Built local-host NP Identity Ifc:80.46.114.128
%ASA-7-609001: Built local-host outside:192.168.1.1
%ASA-6-302015: Built outbound UDP connection 105 for outside:192.168.1.1/67 (192
.168.1.1/67) to NP Identity Ifc:80.46.114.128/68 (80.46.114.128/68)
%ASA-7-710005: UDP request discarded from 10.9.1.2/137 to inside:10.9.255.255/13
7
%ASA-7-710005: UDP request discarded from 10.9.1.2/137 to inside:10.9.255.255/13
7
%ASA-7-710005: UDP request discarded from 10.9.1.2/4945 to inside:10.9.1.1/53
%ASA-7-710005: UDP request discarded from 10.9.1.2/1026 to inside:10.9.1.1/53
%ASA-7-710005: UDP request discarded from 10.9.1.2/2187 to inside:10.9.1.1/53
%ASA-7-710005: UDP request discarded from 10.9.1.2/4945 to inside:10.9.1.1/53
%ASA-7-710005: UDP request discarded from 10.9.1.2/4945 to inside:10.9.1.1/53
l%ASA-7-710005: UDP request discarded from 10.9.1.2/4945 to inside:10.9.1.1/53
07-07-2008 01:39 PM
look at the host 10.9.1.2
"ipconfig /all"
and I think, you will get the answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide