Prevent PPPoE encapsulation of traffic with specific destination

bwkingston · ‎08-28-2012

My ISP requires a PPPoE tunnel to connect and the modem I use is in Transparent bridging mode. If I connect a dedicated interface and specify the network/IP and use NAT, I can connect to the modem management. However, this isn't my preferred setup as my previous cable ISP used DHCP and any routed traffic out the outside interface destined to 192.168.100.1 would be responded to by the cable modem. I'm assuming that since the traffic with PPPoE is encapsulated, the modem is forwarding everything right out to the link since I get an ISP router responding with traffic destined 192.168.0.1 no route to host.

Is there a way to exclude 192.168.0.0/24 from being encapsulated by PPPoE while all other traffic isn't? If I have to have multiple vlans to do this properly that is fine, I'm just lost in finding a way to use one physical port on my ASA 5505. Setting trunking with with either the outside or modem vlan as native on the interface doesn't appear to allow the modem to connect unless outside is the native vlan

Thanks for any help.

Ramraj Sivagnanam Sivajanam · ‎09-01-2012

Hi Bro

Yes, in the old/former way of doing things, the PPPoE is being handled by the Modem, provided by your ISP. For this reason, your Cisco Firewall OUTSIDE interface is able to grab a dynamic private IP Address i.e. 192.168.0.XXX/24 from the Modem (acting as the DHCP server). With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now browse the internet and also access the Modem’s management webpage.

Now, the PPPoE is being handled by your Cisco Firewall directly. This means, your Cisco Firewall OUTSIDE interface will now grab a dynamic public IP Address from your ISP directly, via your Modem (acting as transparent/bridging device). With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now browse the internet but cannot access the Modem’s management webpage anymore. This is because the LAN users will appear as public IP, while your Modem is still on private IP, no route. There’s no way to exclude 192.168.0.XXX/24 from being encapsulated by PPPoE.

What I have in mind for you is, use another spare interface in your Cisco Firewall, and connect it directly to the Modem. This interface is strictly for the Modem’s management purposes. With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now access the Modem’s management webpage.

Here’s a sample;

!

interface Vlan3

nameif outside

security-level 0

pppoe client vpdn group TEST

ip address pppoe setroute

!

interface Vlan2

nameif mgmt

security-level 10

ip address 192.168.0.10 255.255.255.0

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.10 255.255.255.0

!

interface Ethernet0/0

description ### Link to Modem for Internet ###

switchport access vlan 3

!

interface Ethernet0/1

description ### Link to Modem's Management Port for Management Purposes ###

switchport access vlan 2

!

interface Ethernet0/2

description ### Link to L2 LAN Hub/Switch ###

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

mtu outside 1492

mtu inside 1500

!

global (outside) 1 interface

global (mgmt) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

!

vpdn group TEST request dialout pppoe

vpdn group TEST localname cisco

vpdn group TEST ppp authentication pap

vpdn username cisco password cisco123

!

access-list inside extended permit ip any any

access-list mgmt extended permit ip any any

access-list outside extended permit ip any any

access-group inside in interface inside

access-group outside in interface outside

access-group mgmt in interface mgmt

!

Warm regards,
Ramraj Sivagnanam Sivajanam