Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5510 and PPPoE

Hi

I am having trouble setting up a ASA 5510 to use PPPoE. The ASA is connected to my D-Link ADSL Modem which is setup in bridged mode. My config is as below.

Am I missing something or can somebody tell me how to troubleshoot? The command show ip address outside pppoe

gives

PPPoE session has not been established yet.

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

pppoe client vpdn group tiscali

ip address pppoe setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.9.1.1 255.255.0.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

management-only

!

passwd xxx

boot system disk0:/asa723-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list inside_nat0_outbound extended permit ip 10.9.0.0 255.255.0.0 10.10.0

.0 255.255.0.0

access-list outside_cryptomap_20 extended permit ip 10.9.0.0 255.255.0.0 10.10.0

.0 255.255.0.0

pager lines 24

logging monitor debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.10.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer *.*.*.*

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 3600

crypto map outside_map 20 set security-association lifetime kilobytes 100000

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group tiscali request dialout pppoe

vpdn group tiscali localname *****

vpdn group tiscali ppp authentication chap

vpdn username ***** password ********* store-local

dhcpd lease 691200

!

dhcpd address 10.9.1.2-10.9.1.200 inside

dhcpd enable inside

!

dhcpd address 192.168.10.2-192.168.10.10 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

tunnel-group *.*.*.* type ipsec-l2l

tunnel-group *.*.*.* ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:xxx

: end

8 REPLIES

Re: ASA 5510 and PPPoE

Check these two links

Config revision with debug troubleshooting

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/pppoe.html

Mid way down debug commands for PPPoE

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801055dd.shtml

When you go over the config and verify your config is fine I would suggest to debug the PPPoE connection and post output results to assist.

to set up debug and see its output from telnet session

asa#terminal monitor

in config mode

asa(config)#logging monitor 7

then you could do one at a time to capture output

debug ppp negotiation

debug pppoe packet

debug pppoe error

debug pppoe event

to disable debug

asa#no debugg all

Rgds

-Jorge

New Member

Re: ASA 5510 and PPPoE

Thanks very much Jorge

error I am getting is;

PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:001f.9e98.0748 Type:0x8863=PPPoE-

Discovery

PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12

PPPoE: Type:0101:SVCNAME-Service Name Len:0

PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4

PPPoE: 00000003

PPPoE: padi timer expired

I think this is a problem with my ISP using pppoa and not pppoe?

New Member

Re: ASA 5510 and PPPoE

Just a bit of background I thought may help...

We used to have a PIX 501 connected to the same ADSL line, with the outside interface set to pickup via DHCP from the ADSL modem, which passed throught the public ip to the PIX. This all worked fine. The same setup on the ASA 5510 doesn't work. I have tried setting the ADSL to bridged mode and setting the PIX outside interface to PPPoE, which is what the config on the original post is. The third option is setting the ADSL to bridged and assigning a static ip to the ASA outside interface - what NAT and Routes would I need to setup to acheive this?

Many Thanks

Colin

Re: ASA 5510 and PPPoE

Colin thanks for updating sorry for late reply, if you have just swaped the firewall from 501 to asa5510 and nothing was changed on the ISP side I would not think the isp had changed their provisioning at their end, however, if you issue debug pppoe events this will indicate sending PADI discovery frames to isp but no response I would then contact ISP to rule out any issues on settings.

If you do go with public static addressing on the outside interface your config have the necessary nat statements for NATing, ie global (outside ) 1 interface , and nat (inside ) 1 0.0, you will need default route route outside 0.0.0.0 0.0.0.0 1

Rgds

-Jorge

New Member

Re: ASA 5510 and PPPoE

I have tried all setups but cannot get the ASA to work at all over my adsl line!

Both configs are posted below - is anybody aware of any differences between PIX and ASA which would stop this working

PIX - I realise I dont have the VPN Tunnel setup on the ASA as I can't even get internet access through it

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password password encrypted

passwd xxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.0.0 ISA2004

access-list inside_outbound_nat0_acl permit ip 10.9.0.0 255.255.0.0 ISA2004 255.255.0.0

access-list outside_cryptomap_20 permit ip 10.9.0.0 255.255.0.0 ISA2004 255.255.0.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.9.1.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location ISA2004 255.255.0.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.9.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer 8.8.8.8

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 3600 kilobytes 100000

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 8.8.8.8 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.9.1.3-10.9.1.33 inside

dhcpd lease 86400

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:xxx

: end

ASA DHCP on next post

Many Thanks

Colin

New Member

Re: ASA 5510 and PPPoE

ASA Config

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password xxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.9.1.1 255.255.0.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

no nameif

no security-level

ip address 192.168.10.1 255.255.255.0

!

passwd password encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

logging enable

logging console debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.9.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 10.9.1.2-10.9.1.20 inside

dhcpd enable inside

!

!

!

prompt hostname context

Cryptochecksum:xxx

: end

Many Thanks

Colin

New Member

Re: ASA 5510 and PPPoE

Hi

When i switched on debugging I am getting the following error constantly...any ideas why it is blocking traffic from my client to the internal interface of the ASA? I am assigned an ip address to the client from the ASA ok...

%ASA-7-609001: Built local-host NP Identity Ifc:80.46.114.128

%ASA-7-609001: Built local-host outside:192.168.1.1

%ASA-6-302015: Built outbound UDP connection 105 for outside:192.168.1.1/67 (192

.168.1.1/67) to NP Identity Ifc:80.46.114.128/68 (80.46.114.128/68)

%ASA-7-710005: UDP request discarded from 10.9.1.2/137 to inside:10.9.255.255/13

7

%ASA-7-710005: UDP request discarded from 10.9.1.2/137 to inside:10.9.255.255/13

7

%ASA-7-710005: UDP request discarded from 10.9.1.2/4945 to inside:10.9.1.1/53

%ASA-7-710005: UDP request discarded from 10.9.1.2/1026 to inside:10.9.1.1/53

%ASA-7-710005: UDP request discarded from 10.9.1.2/2187 to inside:10.9.1.1/53

%ASA-7-710005: UDP request discarded from 10.9.1.2/4945 to inside:10.9.1.1/53

%ASA-7-710005: UDP request discarded from 10.9.1.2/4945 to inside:10.9.1.1/53

l%ASA-7-710005: UDP request discarded from 10.9.1.2/4945 to inside:10.9.1.1/53

Re: ASA 5510 and PPPoE

look at the host 10.9.1.2

"ipconfig /all"

and I think, you will get the answer.

3675
Views
0
Helpful
8
Replies
CreatePlease to create content