Showing results for 
Search instead for 
Did you mean: 


Cisco ASA 5506 - PPPoE configuration and S2S VPN

Dear Friends,

I am new to PPPoE configuration and hence this query.


We currently have an IPSec S2S VPN built between SiteA and SiteB. So, the ISP at SITE B is now providing us with a PPPoE connection. They provided us a router with a Public IP and also provided us with a username and password. ( I read and understood that these credentials are used for configuring a PPPoE client.). They didn't provide me with a default gateway or a public IP for my ASA ( So, I also understood from PPPoE documents that we won't be provided those details).


My query here is.. If I dont have a public IP and a public default gateway on my ASA, how would I establish my S2S VPN with SiteA. 


I did some research and I think I need to remove the ISP provided router and configure the public IP on the ASA directly, but still am confused if this is the right procedure and also using this command: 

#ip address pppoe setroute would automatically set a default gateway. and if thats the case, do I still need the ip route <default Gateway> command on my ASA.


Request you to share your valuable suggestions to make this configuration work for me. 

Thank you so much in advance.


Cisco Employee

ASA support IPsec / L2TP over PPPoE.


Here is a sample configuration for Site A (static IP) , Site B (Dynamic IP from PPPoE link) :


For Site A :

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
authentication pre-share
encryption des
hash md5
group 2
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *



For Site B :

acl for the interesting traffic(access-list 100 extended permit ip

crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 10 match address 100
crypto map newmap 10 set peer
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
crypto isakmp enable outside
isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
tunnel-group (peer's ip address) type ipsec l2l
tunnel-group (peer's ip address) ipsec attributes
pre-shared key *******.


Please make sure to change the parameters and policies as per your requirment.


Regarding your question about Site B ASA , what default route it needs.

the outside interface will pick an IP based on DHCP.


the default route should point to a specific IP that should be provided by the ISP, or you could find that out by issuing "sh arp" and see what is directly connected to the ASA on the outside interface, and then specify that IP as your GW.


Hi Malkhati,


Thank you so much for your valuable reply. 

I now understand the configuration of SiteA (Static IP) and SiteB (PPPoE) where SiteB acquires the IP via DHCP.

So, I would like to know if we can make SiteB(PPPoE) have a static IP and then use a default gateway.


I was browsing the internet and found this article. It it be very helpful to me if you could take a look at it and see if this configuration where the obtained a static IP (PPPoE) from ISP and completed the configuration.


Thank you so much.

Content for Community-Ad