Solved: Re: Cisco ASA traffic through outside (WAN) subinterface

GoldTipu · ‎07-05-2024

Story:

We have ISP they have provided us Huawei bridge type ONT

https://tobtech.en.made-in-china.com/product/wFMTPaioLAbO/China-Huawei-Hn8010ts-Xgs-Pon-Bridging-Type-Ont.html

They asked we can attach our Cisco ASA with the box with VLAN Tagging on the outside interface with PPPoE and will get the public IP address .

I created the subinterface outside and able to see the public ip address assigned with PPPoE to the subinterface .
We tried the same with Outside physical interface but the ISP said that we need VLAN tagging only then it will connect but we cannot have the VLAN Tag on the WAN interface or either i dont know how to do that .

But anyway we got the public ip on the subinterface

Next i checked the rules and allowed all inside traffic through subinterface

Now the issue is that we cannot ping anything ouside and internet is not working , I need to know what else i can check to get the internet working I already allowed all the inside traffic through the subinterface .

Please help and advise.
BR

Gold.

MHM Cisco World · ‎07-05-2024

It mandatory to use setroute

And remove any defualt route via WAN interface

MHM

View solution in original post

MHM Cisco World · ‎07-05-2024

config interface WAN as below
interface g0/0

no shut
!
interface g0/0.<vlan tag>
VLAN <vlan tag>
nameif OUT
no shut

that how you can config it
MHM

GoldTipu · ‎07-05-2024

I am trying this on my WAN interface need more help i think i am doing something wrong. Can you help more on this please ?

ciscoasa(config)# interface gigabitEthernet 1/1
ciscoasa(config-if)# no shutdown
ciscoasa(config)# vlan
ciscoasa(config)# vlan?
ERROR: % Unrecognized command

MHM Cisco World · ‎07-05-2024

the g1/1 is main interface
the subinterface g0/0.10 subinterface for vlan 10

ciscoasa(config)# interface gigabitEthernet 1/1.10
ciscoasa(config)# vlan 10

you can not use vlan tag under main interface

MHM

GoldTipu · ‎07-05-2024

This part is done . I can see the Public IP address after configuring PPPoE .

But the issue is we are unable to ping anyting outisde .
I also created rule allow everything outside .

MHM Cisco World · ‎07-05-2024

Ping from ASA or endpoint connect to ASA ?

MHM

GoldTipu · ‎07-05-2024

Tried with boht ways . Interface / ASA / Host not able to ping outside .

ciscoasa(config)# interface gigabitEthernet 1/1.10
ciscoasa(config-subif)# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
No route to host 4.2.2.2

Success rate is 0 percent (0/1)
ciscoasa(config-subif)# exit
ciscoasa(config)# exit
ciscoasa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
No route to host 4.2.2.2

Success rate is 0 percent (0/1)

MHM Cisco World · ‎07-05-2024

Under subinterface

ip address pppoe setroute

Did you add setroute ?

Are asa have defualt route via WAN interface?

MHM

GoldTipu · ‎07-05-2024

Could you please send me the commands to set the route.

Thanks.

MHM Cisco World · ‎07-05-2024

""ip address pppoe setroute""

This command must add under subinterface

Note:- shut/ no shut the subinterface to force asa get default route from ISP

MHM Cisco World · ‎07-05-2024

It mandatory to use setroute

And remove any defualt route via WAN interface

MHM

GoldTipu · ‎07-05-2024

OK Thank you nearly there.......

After adding the route command i can ping from the ASA but I i still cannot ping from the inside host .

ciscoasa(config-subif)# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
ciscoasa(config-subif)#

ciscoasa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
ciscoasa#

have to do something more ...

MHM Cisco World · ‎07-05-2024

It time for NAT

You need NATing

MHM

GoldTipu · ‎07-07-2024

Thank you! I will focus on setting up the NAT, as it seems you have effectively resolved the core issue. I will start a new thread for any further assistance needed. Your exceptional help is truly appreciated, and it was enriching to learn from your expertise. I plan to share this exchange with the ISP in case others encounter similar issues.

Have a great weekend,
Best Regards
Gold

MHM Cisco World · ‎07-07-2024

You are so welcome friend
have a nice summer
MHM