cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
661
Views
2
Helpful
14
Replies

Cisco ASA traffic through outside (WAN) subinterface

GoldTipu
Level 1
Level 1

Story:

We have ISP they have provided us Huawei bridge type ONT 

https://tobtech.en.made-in-china.com/product/wFMTPaioLAbO/China-Huawei-Hn8010ts-Xgs-Pon-Bridging-Type-Ont.html

They asked we can attach our Cisco ASA with the box with VLAN Tagging on the outside interface with PPPoE and will get the public IP address . 

I created the subinterface outside and able to see the public ip address assigned with PPPoE to the subinterface . 
We tried the same with Outside physical interface but the ISP said that we need VLAN tagging only then it will connect but we cannot have the VLAN Tag on the WAN interface or either i dont know how to do that . 

But anyway we got the public ip on the subinterface 

GoldTipu_0-1720203636610.png

GoldTipu_1-1720203839947.png

 

Next i checked the rules and allowed all inside traffic through subinterface 

GoldTipu_2-1720203941314.png

 

 

GoldTipu_3-1720204085566.png

 

Now the issue is that we cannot ping anything ouside and internet is not working , I need to know what else i can check to get the internet working I already allowed all the inside traffic through the subinterface . 

Please help and advise. 
BR

Gold. 

 

 

1 Accepted Solution

Accepted Solutions

It mandatory to use setroute 

And remove any defualt route via WAN interface 

MHM

View solution in original post

14 Replies 14

config interface WAN as below 
interface g0/0

no shut 
!
interface g0/0.<vlan tag>
VLAN <vlan tag>
nameif OUT 
no shut 

that how you can config it 
MHM

I am trying this on my WAN interface need more help i think i am doing something wrong. Can you help more on this please ? 


ciscoasa(config)# interface gigabitEthernet 1/1
ciscoasa(config-if)# no shutdown
ciscoasa(config)# vlan 
ciscoasa(config)# vlan?
ERROR: % Unrecognized command


 

the g1/1 is main interface 
the subinterface g0/0.10 subinterface for vlan 10 

ciscoasa(config)# interface gigabitEthernet 1/1.10 
ciscoasa(config)# vlan 10 

you can not use vlan tag under main interface 

MHM




This part is done . I can see the Public IP address after configuring PPPoE . 

GoldTipu_0-1720206034800.png



GoldTipu_1-1720206296031.png

 


But the issue is we are unable to ping anyting outisde . 
I also created rule allow everything outside . 

 

Ping from ASA or endpoint connect to ASA ?

MHM

Tried with boht ways .  Interface / ASA / Host not able to ping outside . 


ciscoasa(config)# interface gigabitEthernet 1/1.10
ciscoasa(config-subif)# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
No route to host 4.2.2.2

Success rate is 0 percent (0/1)
ciscoasa(config-subif)# exit
ciscoasa(config)# exit
ciscoasa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
No route to host 4.2.2.2

Success rate is 0 percent (0/1)



Under subinterface 

ip address pppoe setroute

Did you add setroute ?

Are asa have defualt route via WAN interface?

MHM

 

Could you please send me the commands to set the route.

Thanks.

""ip address pppoe setroute""

This command must add under subinterface 

Note:- shut/ no shut the subinterface to force asa get default route from ISP

It mandatory to use setroute 

And remove any defualt route via WAN interface 

MHM

OK Thank you nearly there....... 

After adding the route command i can ping from the ASA but I i still cannot ping from the inside host . 


ciscoasa(config-subif)# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
ciscoasa(config-subif)#

ciscoasa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
ciscoasa#


have to do something more ... 

 

It time for  NAT

You need NATing 

MHM

Thank you! I will focus on setting up the NAT, as it seems you have effectively resolved the core issue. I will start a new thread for any further assistance needed. Your exceptional help is truly appreciated, and it was enriching to learn from your expertise. I plan to share this exchange with the ISP in case others encounter similar issues.

Have a great weekend,
Best Regards
Gold 

You are so welcome friend 
have a nice summer 
MHM

Review Cisco Networking for a $25 gift card