topic Re: Newbie ASA 5505 Configuring for internet PPPoE ? in Network Security

Newbie ASA 5505 Configuring for internet PPPoE ?

cal060307 — Mon, 11 Mar 2019 10:31:24 GMT

Hi all expert

I am very newbie for this Firewall and have never done any Cisco security course, so please bear with me.

Currently we have a Pix 501 that works well, now we upgrade to ASA 5505, and I have been trying to get internet connection for a week now but no go at all .

Any help would be much appreciated.

Here is our network:

Internet -> DSL Negear Modem -> ASA 5505 -> inside network

And here is "show run" :

ciscoasa(config)# show run

: Saved

ASA Version 7.2(2)

hostname ciscoasa

domain-name cisco.com

enable password xxx

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.154 255.255.255.0

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group pppoe_group

ip address pppoe setroute

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name cisco.com

access-list inside_access_out extended permit ip any interface outside

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

**** inside IP schema: 192.168.0.0 255.255.255.0

route inside 192.168.0.1 255.255.255.255 192.168.0.154 1

route outside 61.9.x.x 255.255.255.255 61.9.a.b 1

route outside 144.140.x.x 255.255.255.255 61.9.a.b 1

**** 61.9.a.b is static IP provided by ISP

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

**** I issued CLI command to get vpdn rather than ASDM

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname vb39033

vpdn group pppoe_group ppp authentication chap

vpdn username vb39033 password *********

dhcpd ping_timeout 750

dhcpd address 192.168.0.155-192.168.0.204 inside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Re: Newbie ASA 5505 Configuring for internet PPPoE ?

JBDanford2002 — Sun, 17 Jun 2007 13:03:20 GMT

Any reason why you are trying to make this on a VLAN interface? I would just configure the physical interface rather than the virtual. Link below shows how to make this happen.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008066ebe6.html

Re: Newbie ASA 5505 Configuring for internet PPPoE ?

cal060307 — Sun, 17 Jun 2007 13:26:13 GMT

Thanks for your reply and link

That link helped me configure PPPoE client rather than ASDM but still no connection

In regards to VLAN interface, by default ASA has two VLANS one for outside and one for inside.

Re: Newbie ASA 5505 Configuring for internet PPPoE ?

JBDanford2002 — Sun, 17 Jun 2007 14:04:55 GMT

Have you tried removing the vlan interface and configuring the physical? Also have you tried debugging pppoe to see if there are any errors?

debug pppoe error

Re: Newbie ASA 5505 Configuring for internet PPPoE ?

cal060307 — Mon, 18 Jun 2007 00:34:29 GMT

No I have not tried remove VLAN yet. I am not quite confident to remove the default setting, as I am newbie just in case

However I issued "debug pppoe error" command line, nothing happens.

I issued "show ip address outside pppoe"

PPPoE assigned IP address: 61.9.a.b 255.255.255.255 interface: outside

Remote IP address: 172.18.y.z

Re: Newbie ASA 5505 Configuring for internet PPPoE ?

Fernando_Meza — Mon, 18 Jun 2007 02:31:47 GMT

Hi .. if you already have an IP address allocated to the outside interface then your connection to your ISP is fine. Test this by pinging any public IP from your ASA. By looking at your config, it seems you are intending to use the inside interface of the ASA as DHCP server correct ..? if that is the case then you need to ENABLE dhcp on the inside interface and add an auto-config commands which will also provide your internal devices with DNS settings. Below is an example.

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside

hostname(config)# dhcpd autoconfig outside

hostname(config)# dhcpd enable inside

NOTE: this line of config does not make much sense ..

route inside 192.168.0.1 255.255.255.255 192.168.0.154 1

I hope it helps .. please rate it if it does !!!

Re: Newbie ASA 5505 Configuring for internet PPPoE ?

cal060307 — Mon, 18 Jun 2007 09:46:56 GMT

Thanks for your help

DHCP: I was going to do it but I'd rather use my existing DHCP server, so I think I should I take it out.

route inside 192.168.0.1 255.255.255.255 192.168.0.154 1

That line I just copy and paste from working Pix 501 in use. Yes you are right it does not make sense to me either.

I will trying ping outside public IP say www.hotmail.com to see if it gets thru, I doubt very much otherwise I would get internet connection by now. Thanks again

Re: Newbie ASA 5505 Configuring for internet PPPoE ?

cal060307 — Wed, 20 Jun 2007 04:42:04 GMT

Hi all

Question please:

Do we need to have any access-list to allow traffic inside to flow outside in order to get internet access? or any thing else after establishing PPPoE client through Wizard.

Thank you in advance

Re: Newbie ASA 5505 Configuring for internet PPPoE ?

cal060307 — Thu, 21 Jun 2007 00:47:16 GMT

Hi all

I got this problem solved, what I did was that I got back the factory default and restart PPPoE client without any access-list.

Thanks a lot for your support and help guys.