Yes I did mask my ISP given static ip for privacy reason.....so the 111.111.111.11 is fake ip......

They have given me 2 static ip addresses.....for privacy purposes I will use

111.111.111.11 and 222.222.222.22.....

So are you saying my outsider interface should read

interface Ethernet0/0
nameif outside
security-level 0
ip address 111.111.111.11 255.255.255.252 

Then my route will read the following.....

route outside 0.0.0.0 0.0.0.0 111.111.111.11 1

According to my ISP my default gateway is my First Static IP so using the a fake static ip's from above my default gateway would be 111.111.111.11.....

.

do I need to configure my outside interface to accept or handle a ppoe connection.....since that is what my current isp provided modem/router does?

If so I would assume I need to bridge my ISP provided router.....then add the static ip and my ppoe configurations to my outside interface....

I believe I do have those configurations.......I changed it to that way last night.......

However I still can't connected.....

Here is my config file......  I obviously have hidden my static ips.....but I have 2 one is xxx.xxx.xxx.13 and the other is xxx.xxx.xxx.14

: Saved
:
ASA Version 8.0(5)
!
hostname x
enable password mrNAzLB3WoDGll7l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.14 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
pager lines 24
logging enable
logging buffered alerts
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.2-192.168.10.30 inside
dhcpd enable inside
!
dhcpd address 192.168.1.6-192.168.1.47 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password vx8BkOWfWwvYuBKw encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:411b6627479dcd14b847fdf03cf5b90f
: end
asdm image disk0:/asdm-631.bin
no asdm history enable

Hey,

Well, if your ISP modem is set to the bridged mode and PPPoE is being employed, then you need to configure the ASA as a PPPoE client. you can refer to the following for that:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml

I also understand that you've been assigned a set of static ip's from the ISP. You will need to get in touch with the ISP and they should be able to direct you on how to configure the modem to always assign a static ip and gateway (from the static ip set you've been assigned) to your ASA using the PPPoE itself (it usually has something to do with the username assigned by your ISP to you).

Hope this helps!

I think I (we) are getting closer!

I have bridged my modem.......set my asa to a ppoe configuration.

However my laptop shows it has an Internet connection but I can't load any page.....Google.com, our company website or anything else??

I simple get this page cannot be displayed.  Almost as if all internet surfing is blocked.....

Thanks!

just for clarification.....xxx.xxx.xxx.1 is my first static ip and xxx.xxx.xxx.2 is my second static ip....  But I question if the second should be used there......since ultimately I will want to use it for my server when I do vpn connections....

Here is my current config......

: Saved
:
ASA Version 8.0(5)
!
hostname g
enable password mrNAzLB3WoDGll7l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group cl
ip address xxx.xxx.xxx.1 255.255.255.255 pppoe
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
pager lines 24
logging enable
logging buffered alerts
logging asdm informational
logging debug-trace
mtu outside 1492
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (inside) 1 192.168.10.2-192.168.10.30 netmask 255.0.0.0
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group cl request dialout pppoe
vpdn group cl localname learning361
vpdn group cl ppp authentication pap
vpdn username xxxxxxxxx password ********* store-local
dhcpd address 192.168.10.2-192.168.10.30 inside
dhcpd enable inside
!
dhcpd address 192.168.1.6-192.168.1.47 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password vx8BkOWfWwvYuBKw encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:56d7d6089af44b50dd585452a16c5e11
: end
asdm image disk0:/asdm-631.bin
no asdm history enable

Hello,

Can you clarify what xxx.xxx.xxx.2 is? You mentioned that xxx.xxx.xxx.2 is a static IP assigned to your by your ISP. However, I see this line in the config:

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.2 1

The route command should contain the IP address of your default gateway (i.e. the next hop you'll hit when you browse out to the Internet), not an IP address assigned to you. If you're not sure what this should be, check with your ISP and they should be able to tell you. Once you have that, remove that route command and re-enter it using the correct IP.

Hope that helps.

-Mike

Could you post the output of

sh ip

sh route

ping x.x.x.2

ping 4.2.2.2

where x.x.x.2 is the GW that you have configured.

enable logging and post the logs if the pings fail.

conf t

logging on

logging buffered 7

exit

sh logg |  i 4.2.2.2

-KS

kusankar wrote:

Could you post the output of

sh ip

sh route

ping x.x.x.2

ping 4.2.2.2

where x.x.x.2 is the GW that you have configured.

enable logging and post the logs if the pings fail.

conf t

logging on

logging buffered 7

exit

sh logg |  i 4.2.2.2

-KS

xxx.xxx.xxx.1 is my static IP....

Here is the results from

sh ip

System IP Addresses:
Interface                Name                   IP address      Subnet mask                                                Method
Ethernet0/0              outside                xxx.xxx.xxx.1  255.255.255.255                                            manual
Ethernet0/1              inside                 192.168.10.1    255.255.255.0                                              manual
Management0/0            management             192.168.1.5     255.255.255.0                                              CONFIG

Current IP Addresses:
Interface                Name                   IP address      Subnet mask                                                Method
Ethernet0/0              outside                xxx.xxxxxx.1  255.255.255.255                                            manual
Ethernet0/1              inside                 192.168.10.1    255.255.255.0                                              manual
Management0/0            management             192.168.1.5     255.255.255.0                                              CONFIG

show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is xxx.xxx.xxx.1 to network 0.0.0.0

C    192.168.10.0 255.255.255.0 is directly connected, inside
C    192.168.1.0 255.255.255.0 is directly connected, management
S*   0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.xxx.1, outside

ping 4.2.2.2

So I am getting a Unidentified network from the computers I am not connecting to my asa......so between that and not being able to connect to the Internet I am very confused......any help is greatly appreciated.

THANK YOU ALL!!

Hey Toddy,

Mike here, in the show route, you can see a default route on which you see 0.0.0.0 0.0.0.0 via x.x.x.x, can you please try to ping that x.x.x.x IP and see if you get replies?

Cheers

Mike

Hello Mike -

The xxx.xxx.xxx.1 is my static ip.  According to my ISP the first static ip given to me is my default gateway.

That siad I have my ASA to establish a PPOE connect and obtain IP address using PPOE.  And the asa does all this....If I go my ASDM and monitor my PPOE Client my outside interface shows my first static ip.

You asked to ping that x.x.x. IP.  IF you are suggesting I do so from another pc that is connected to my inside network I cannot do that.  For whatever reason I any pc I connect to my inside network I receive an unidentified network and an IP address conflict....

Thanks for you help

Hello Toddy,

I see, but you cannot have your outside interface IP address as a default gateway, your ISP should assign you a default gateway. Do me a favor, I think I know how we can check this..... Go ahead and connect the PC to the modem, get the IP address and stuff and check with the ipconfig on the command prompt (if windows) if linux ifconfig and check what is the default gateway that you get, also check if you are able to ping 4.2.2.2.

Will be waiting for the reply.

Cheers.

Mike

Interesting stuff Mike.......I only input the Static IP as my default Gateway since 2 different ISP support staff told me that the First Static IP they gave me was also my default gateway........

I took my modem out of bridge mode......hooked my pc up to my modem was able to connect to the internet.....but this completely removes my asa from the equation.....SO

cmd give me....

ipv4 address........192.168.1.47

subnet mask........255.255.255.0

default gateway.....192.168.1.1

ping 4.2.2.2 give me.....

reply from 4.2.2.2: bytes=32 time=33ms TTL=56

reply from 4.2.2.2: bytes=32 time=33ms TTL=56

reply from 4.2.2.2: bytes=32 time=33ms TTL=56

reply from 4.2.2.2: bytes=32 time=33ms TTL=56

Ping statistics for 4.2.2.2:

Packets: sent = 4 Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-sconds:

Minimum = 32ms, Maximum = 33ms, Average = 32ms

Thanks