Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5143
Views
0
Helpful
5
Replies

ASA5505 PPPOE not working

roger perkin
Level 2
Level 2

‎08-24-2011 01:24 AM - edited ‎03-11-2019 02:16 PM

I am trying to get a Cisco ASA5505 to get onto the internet using PPPOE through a Netgear DG384 ADSL router.

I have the Netgear in Modem only mode - if you put it in Router mode internet access works fine.

When I change it to Modem mode, the error I get on the ASA is PADI timeout.

Looking through the config I think I am missing a Global NAT??

Also not 100% on the best way to set the IP - we have a static IP from the ISP.

Do you set the interface to use DHCP and get this address or set it statically?

Then do you put the setroute option or put in a static?

Any advise appreciated.

Config Below

sh run

: Saved

:

ASA Version 8.4(1)

!

hostname ciscoasa

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ***

ip address ******** 255.255.255.252 pppoe setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone GMT 0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service 135er

service tcp source range 1 65000 destination eq 135

object network OFTP

host 192.168.0.50

pager lines 24

logging enable

logging console debugging

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

object network OFTP

nat (inside,outside) static interface service tcp 3305 3305

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer ******

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 1 set security-association lifetime seconds 3600

crypto map outside_map interface outside

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group *** request dialout pppoe

vpdn group *** localname **************

vpdn group *** ppp authentication pap

vpdn username ******************** password ***** store-local

dhcpd address 192.168.0.20-192.168.0.40 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group *********** type ipsec-l2l

tunnel-group *********** ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive disable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ef67790477c50f7d22a1c2ff0dc75b47

: end

ciscoasa#   

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa# PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0007.7d0b.7ca5 Type:0x8863=PPPoE-Discovery

PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12

PPPoE: Type:0101:SVCNAME-Service Name Len:0

PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4

PPPoE: 00000003

PPPoE: padi timer expired

PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0007.7d0b.7ca5 Type:0x8863=PPPoE-Discovery

PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12

PPPoE: Type:0101:SVCNAME-Service Name Len:0

PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4

PPPoE: 00000003

PPPoE: padi timer expired

PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0007.7d0b.7ca5 Type:0x8863=PPPoE-Discovery

PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12

PPPoE: Type:0101:SVCNAME-Service Name Len:0

PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4

PPPoE: 00000003

PPPoE: padi timer expired

PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0007.7d0b.7ca5 Type:0x8863=PPPoE-Discovery

PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12

PPPoE: Type:0101:SVCNAME-Service Name Len:0

PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4

PPPoE: 00000003

PPPoE: padi timer expired

PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:0007.7d0b.7ca5 Type:0x8863=PPPoE-Discovery

PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12

PPPoE: Type:0101:SVCNAME-Service Name Len:0

PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4

PPPoE: 00000003

PPPoE: padi timer expired

Labels:
0 Helpful
5 Replies 5

varrao
Level 10
Level 10

‎08-24-2011 02:06 AM

In the debugs I can see  that the ASA is sending a PPPoE discover to the ISP device, but due to no reply from there, it is timing out. You might want try this config:

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ***

ip address pppoe setroute

If you still get the same error, you might want to consult your ISP regarding it.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

roger perkin
Level 2
Level 2
In response to varrao

‎08-25-2011 12:59 AM

Still not working, I think this may be an ISP issue.

Is it not easier to run the Netgear ADSL in router mode and NAT through to the ASA?

Thanks

Roger

0 Helpful

varrao
Level 10
Level 10
In response to roger perkin

‎08-25-2011 01:56 AM

Thats right... You might want to discuss it with your ISP and let them know about it.

-Varun

Thanks,
Varun Rao
0 Helpful

roger perkin
Level 2
Level 2
In response to varrao

‎08-26-2011 07:00 AM

Varun,

The ISP has come back and said they do not support PPPoE!

Now my only option is to Nat through the Netgear to the ASA?

Is this a doable option?

Roger

0 Helpful

varrao
Level 10
Level 10
In response to roger perkin

‎08-26-2011 07:04 AM

Yes, you can do that, you can either do nat exempt or disable nat control on the firewall and do the nat on netgear. So firewall would only allow traffic based on access-list rather than nat. This migth be a feasible optio.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card