ASA + PPPoE Connectivity Problem

saxenanitesh8522 · ‎12-06-2010

Hi,

I have configured my ASA 8.0 as a pppoe client on the outside interface. My pppoe is getting authenticated and then getting the IP address from the router. But when i am trying to ping the default gateway its not giving me a reply. Secondly, when i try to ping my outside interface from outside it doesnt reply back and says in asdm blocked due to icmp code 0 type 8. even after allowing that, i am not able to ping the outside interface. When i do a packet tracer from cli it gives me a "packet is always deny by implicit ACL".

Please help me out. I can't figure out the mistake.

Nitesh

Maykol Rojas · ‎12-06-2010

Hello Nitesh,

Seems like you have an implicit rule denying the ICMP traffic, would you please do a sh run icmp ? Check if you have a deny any or a deny icmp outside... If you like, you can paste the output, I'll help you out with this one.

Cheers

Mike

saxenanitesh8522 · ‎12-06-2010

Hi,

I have applied icmp permit inside and outside and permit icmp any any on the interface also. but i am still getting the same error.

i will try getting you the show run.

saxenanitesh8522 · ‎12-06-2010

ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.168 255.255.255.240
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group CHN

ip address pppoe setroute

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside extended permit ip any any
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any timestamp-reply
access-list 100 extended permit icmp any any timestamp-request
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 172.16.1.160 255.255.255.240 a
ny
access-list inside_access_in extended permit ip 172.16.1.160 255.255.255.240 any

pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Intl 172.16.1.160 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.1.160 255.255.255.240
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 172.16.1.160 255.255.255.240 inside
http 0.0.0.0 0.0.0.0 outside

ssh timeout 30
console timeout 0
vpdn group chn request dialout pppoe
vpdn group chn localname

vpdn group chn ppp authentication chap
vpdn username password store-local
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
prompt hostname context
Cryptochecksum:ee639b7d0becf0bc260eff2b856b8ba0
: end

Maykol Rojas · ‎12-06-2010

Hello Nitesh,

Would you please also provide the log that you are getting?

Cheers

Mike

saxenanitesh8522 · ‎12-06-2010

What log? can you tell me u r looking for

saxenanitesh8522 · ‎12-06-2010

Please let me know what all you need. I will try to get to you asap.

Thanks alot

Maykol Rojas · ‎12-06-2010

Hello,

The ICMP deny log, along with the show vpdn and show vpdn tunnel.

Thanks

Mike

saxenanitesh8522 · ‎12-06-2010

PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0024.97b7.c010 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: PPPoE:(Rcv) Dest:0024.97b7.c010 Src:0030.8802.ad86 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:07=PADO Sess:0 Len:154
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: Type:0102:ACNAME-AC Name Len:33
PPPoE:

PPPoE: chd-ras-bng-s17-02-B221E120605020

PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: ftth.bsnl.in

PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: operation.in

PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: education2home.in

PPPoE: Type:0101:SVCNAME-Service Name Len:18
PPPoE: sancharsoftupe.com

PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: sancharsoftpb.com

PPPoE: Type:0101:SVCNAME-Service Name Len:9
PPPoE: qabsnl.in

PPPoE: PADO

PPPoE: PPPoE: Service name 'any' not found in PADO

PPPoE: send_padr:(Snd) Dest:0030.8802.ad86 Src:0024.97b7.c010 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:19=PADR Sess:0 Len:154
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: Type:0102:ACNAME-AC Name Len:33
PPPoE:

PPPoE: chd-ras-bng-s17-02-B221E120605020

PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: ftth.bsnl.in

PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: operation.in

PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: education2home.in

PPPoE: Type:0101:SVCNAME-Service Name Len:18
PPPoE: sancharsoftupe.com

PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: sancharsoftpb.com

PPPoE: Type:0101:SVCNAME-Service Name Len:9
PPPoE: qabsnl.in

PPPoE: PPPoE:(Rcv) Dest:0024.97b7.c010 Src:0030.8802.ad86 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:65=PADS Sess:3135 Len:154
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: ftth.bsnl.in

PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: operation.in

PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: education2home.in

PPPoE: Type:0101:SVCNAME-Service Name Len:18
PPPoE: sancharsoftupe.com

PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: sancharsoftpb.com

PPPoE: Type:0101:SVCNAME-Service Name Len:9
PPPoE: qabsnl.in

PPPoE: Type:0102:ACNAME-AC Name Len:33
PPPoE:

PPPoE: chd-ras-bng-s17-02-B221E120605020

PPPoE: PADS

PPPoE: IN PADS from PPPoE tunnel

PPPoE: Service name 'any' not found in PADS

PPPoE: Opening PPP link and starting negotiations.

PPPoE: PPPoE:(Rcv) Dest:0024.97b7.c010 Src:0030.8802.ad86 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:D3=Unknown Code Sess:3135 Len:25
PPPoE: Type:0111:Unknown tag type Len:21
PPPoE: http://www.bsnl.co.in

PPPoE: Unknown tag type Type:0111

Maykol Rojas · ‎12-06-2010

Can you collect the show vpdn tunnel and the log that you get for ICMP being blocked? Can you try to access the internet (http traffic) instead of only icmp?

Cheers

Mike