Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4376
Views
0
Helpful
6
Replies

Cisco 5505 PPPoE Setup

Go to solution
jill.kane
Level 1
Level 1

‎02-18-2011 11:51 AM - edited ‎03-11-2019 12:53 PM

Please help!

I am trying to configure my Cisco ASA 5505 to use with a Netopia 3347 from AT&T. I have set the Netopia modem into bridge ethernet mode properly, and I have the correct username/password in order to gain access to the Internet but for some reason the PPPoE configuration is not working properly. I have verified with AT&T that it is authenticating and it is receiving the correct ip address but I am unable to access the internet. Here is my current configuration:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname EOSasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group EOS
ip address pppoe
ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq 9000
access-list outside_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list 100 extended permit tcp any interface outside eq ftp
access-list 100 extended permit tcp any interface outside eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 99.23.119.78 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp 192.168.1.3 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.3 ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255
static (inside,outside) tcp interface 9000 192.168.1.3 9000 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group EOS request dialout pppoe
vpdn group EOS localname eossolutions@static.att.net
vpdn group EOS ppp authentication pap
vpdn group linkstation request dialout pppoe
vpdn group linkstation localname eossolutions@static.att.net
vpdn group linkstation ppp authentication pap
vpdn group eossolutions@static.att.net request dialout pppoe
vpdn group eossolutions@static.att.net localname eossolutions@static.att.net
vpdn group eossolutions@static.att.net ppp authentication pap
vpdn username eossolutions@static.att.net password ********* store-local
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy Admins internal
group-policy Admins attributes
vpn-tunnel-protocol webvpn
webvpn
  url-list none
username adminjk password 4V9t4jYY5NUXyHQF encrypted privilege 0
username adminjk attributes
vpn-group-policy Admins
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map golbal_policy
class inspection_default
  inspect ftp
!
service-policy golbal_policy global
prompt hostname context
Cryptochecksum:9c7bb70b23230d9f2fa25ca9751b1a0c
: end

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to jill.kane

‎02-18-2011 08:54 PM

Hi,

You wont have internet access, because the ASA does not have a route to get there... Are you getting an IP address from the pppoe server? what happens if you do a show ip address outside pppoe?

I think you are also missing the command on the interface setroute... it would be like this

ip address pppoe setroute

With that command he will ask the PPPoE server the default gateway in order to access the internet. I am going to be here for a couple of more hours.. Let  me  know if you need help.

Cheers

Mike

Mike

View solution in original post

0 Helpful

Go to solution
paulkbeyer
Level 1
Level 1

‎02-19-2011 12:47 AM

I agree with Maykol,

Your ASA has no route to any network other than the connected subnets as the output of Packet Tracer suggests.

Enter the command :-

ip address pppoe setroute

Under your VLAN 2 interface and you should be good to go.

A Technote describing your situation resides here:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml

Hope this helps.

Regards

Paul.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
paulkbeyer
Level 1
Level 1

‎02-18-2011 01:16 PM

Hey,

In your config you have :-

!

interface Ethernet0/5
switchport access vlan 12

!

Should this not be

!

interface Ethernet0/5
switchport access vlan 1

!

Regards

Paul

0 Helpful

Go to solution
jill.kane
Level 1
Level 1
In response to paulkbeyer

‎02-18-2011 02:27 PM

I have gone completely back to the factory configurations so that I can get this PPPoE enabled. I am still unable to get internet access through my firewall but it is correctly authenticating. Please help!

Here are my current configs now:

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(1)

!

hostname EOSasa

enable password qVQaNBP31RadYDLM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group EOS

ip address pppoe

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group EOS request dialout pppoe

vpdn group EOS localname eossolutions@static.att.net

vpdn group EOS ppp authentication pap

vpdn username eossolutions@static.att.net password ********* store-local

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.100 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:062752952a1b963f5c7f7f1febcfe692

: end

0 Helpful

Go to solution
paulkbeyer
Level 1
Level 1
In response to paulkbeyer

‎02-18-2011 02:39 PM

Hi there,

Can you enter the following command on your unit :-

packet-tracer input inside tcp 192.168.1.10 8888 208.208.208.208 80

And if you can't interpret the output of packet tracer, post the output here for us to see.

Regards

Paul.

0 Helpful

Go to solution
jill.kane
Level 1
Level 1
In response to paulkbeyer

‎02-18-2011 03:00 PM

Result of the command: "packet-tracer input inside tcp 192.168.1.10 8888 208.208.208.208 80"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to jill.kane

‎02-18-2011 08:54 PM

Hi,

You wont have internet access, because the ASA does not have a route to get there... Are you getting an IP address from the pppoe server? what happens if you do a show ip address outside pppoe?

I think you are also missing the command on the interface setroute... it would be like this

ip address pppoe setroute

With that command he will ask the PPPoE server the default gateway in order to access the internet. I am going to be here for a couple of more hours.. Let  me  know if you need help.

Cheers

Mike

Mike
0 Helpful

Go to solution
paulkbeyer
Level 1
Level 1

‎02-19-2011 12:47 AM

I agree with Maykol,

Your ASA has no route to any network other than the connected subnets as the output of Packet Tracer suggests.

Enter the command :-

ip address pppoe setroute

Under your VLAN 2 interface and you should be good to go.

A Technote describing your situation resides here:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml

Hope this helps.

Regards

Paul.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card