12-06-2010 07:30 AM - edited 03-11-2019 12:18 PM
Hi,
I have configured my ASA 8.0 as a pppoe client on the outside interface. My pppoe is getting authenticated and then getting the IP address from the router. But when i am trying to ping the default gateway its not giving me a reply. Secondly, when i try to ping my outside interface from outside it doesnt reply back and says in asdm blocked due to icmp code 0 type 8. even after allowing that, i am not able to ping the outside interface. When i do a packet tracer from cli it gives me a "packet is always deny by implicit ACL".
Please help me out. I can't figure out the mistake.
Nitesh
12-06-2010 07:45 AM
Hello Nitesh,
Seems like you have an implicit rule denying the ICMP traffic, would you please do a sh run icmp ? Check if you have a deny any or a deny icmp outside... If you like, you can paste the output, I'll help you out with this one.
Cheers
Mike
12-06-2010 07:51 AM
Hi,
I have applied icmp permit inside and outside and permit icmp any any on the interface also. but i am still getting the same error.
i will try getting you the show run.
12-06-2010 07:55 AM
ciscoasa# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.1.168 255.255.255.240
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group CHN
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside extended permit ip any any
access-list 100 extended permit icmp any any
access-list 100 extended permit icmp any any timestamp-reply
access-list 100 extended permit icmp any any timestamp-request
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp 172.16.1.160 255.255.255.240 a
ny
access-list inside_access_in extended permit ip 172.16.1.160 255.255.255.240 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Intl 172.16.1.160 mask 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.1.160 255.255.255.240
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 172.16.1.160 255.255.255.240 inside
http 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
vpdn group chn request dialout pppoe
vpdn group chn localname
vpdn group chn ppp authentication chap
vpdn username
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
prompt hostname context
Cryptochecksum:ee639b7d0becf0bc260eff2b856b8ba0
: end
12-06-2010 07:56 AM
Hello Nitesh,
Would you please also provide the log that you are getting?
Cheers
Mike
12-06-2010 08:01 AM
What log? can you tell me u r looking for
12-06-2010 08:04 AM
Please let me know what all you need. I will try to get to you asap.
Thanks alot
12-06-2010 08:06 AM
Hello,
The ICMP deny log, along with the show vpdn and show vpdn tunnel.
Thanks
Mike
12-06-2010 08:44 AM
PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0024.97b7.c010 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: PPPoE:(Rcv) Dest:0024.97b7.c010 Src:0030.8802.ad86 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:07=PADO Sess:0 Len:154
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: Type:0102:ACNAME-AC Name Len:33
PPPoE:
PPPoE: chd-ras-bng-s17-02-B221E120605020
PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: ftth.bsnl.in
PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: operation.in
PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: education2home.in
PPPoE: Type:0101:SVCNAME-Service Name Len:18
PPPoE: sancharsoftupe.com
PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: sancharsoftpb.com
PPPoE: Type:0101:SVCNAME-Service Name Len:9
PPPoE: qabsnl.in
PPPoE: PADO
PPPoE: PPPoE: Service name 'any' not found in PADO
PPPoE: send_padr:(Snd) Dest:0030.8802.ad86 Src:0024.97b7.c010 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:19=PADR Sess:0 Len:154
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: Type:0102:ACNAME-AC Name Len:33
PPPoE:
PPPoE: chd-ras-bng-s17-02-B221E120605020
PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: ftth.bsnl.in
PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: operation.in
PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: education2home.in
PPPoE: Type:0101:SVCNAME-Service Name Len:18
PPPoE: sancharsoftupe.com
PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: sancharsoftpb.com
PPPoE: Type:0101:SVCNAME-Service Name Len:9
PPPoE: qabsnl.in
PPPoE: PPPoE:(Rcv) Dest:0024.97b7.c010 Src:0030.8802.ad86 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:65=PADS Sess:3135 Len:154
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002
PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: ftth.bsnl.in
PPPoE: Type:0101:SVCNAME-Service Name Len:12
PPPoE: operation.in
PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: education2home.in
PPPoE: Type:0101:SVCNAME-Service Name Len:18
PPPoE: sancharsoftupe.com
PPPoE: Type:0101:SVCNAME-Service Name Len:17
PPPoE: sancharsoftpb.com
PPPoE: Type:0101:SVCNAME-Service Name Len:9
PPPoE: qabsnl.in
PPPoE: Type:0102:ACNAME-AC Name Len:33
PPPoE:
PPPoE: chd-ras-bng-s17-02-B221E120605020
PPPoE: PADS
PPPoE: IN PADS from PPPoE tunnel
PPPoE: Service name 'any' not found in PADS
PPPoE: Opening PPP link and starting negotiations.
PPPoE: PPPoE:(Rcv) Dest:0024.97b7.c010 Src:0030.8802.ad86 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:D3=Unknown Code Sess:3135 Len:25
PPPoE: Type:0111:Unknown tag type Len:21
PPPoE: http://www.bsnl.co.in
PPPoE: Unknown tag type Type:0111
12-06-2010 08:59 AM
Can you collect the show vpdn tunnel and the log that you get for ICMP being blocked? Can you try to access the internet (http traffic) instead of only icmp?
Cheers
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide