Thanks.

I am trying to configure an interface with three things:

PPPoE

VPI

VCI

I think I set up the PPPoE correctly, but the VPI and VCI are an issue.  I eed to set the VPI to 0 and the VCI to 32.

This is connecting directly to a centurylink fiber term panel and avoiding the modem all together.

as per my knowledge this is not possible. might i may be wrong.

found a link might it help you  ASA and Century modem 

https://www.experts-exchange.com/questions/28252637/Getting-Cisco-ASA-5505-and-Actiontec-M1000-DSL-Modem-to-work-together.html

thanks - 

I went through the same thing that person did.  I got the modem to bridge mode and the ASA is connecting using DHCP.  Thanks for that.  If anyone else goes through this process I suggest the link earlier in this thread.  That is what I did and the DHCP portion worked fine.

I need to set the static IP now.  I think I have a rule issue though - When I set the IP the packet tracer allows things to the internet but I cannot browse.  

Here is what I have done so far:

1.  Put the IP address in the PPPoE IP address and route settings dialog box.

2.  I put the net mask there (but it kicks it out as it expects 255.255.255.0 and mine is 255.255.255.248)

3.  Put a static route of 0 0 GW IP adress on the outside interface.

As I understand it that should work?

I need to set the static IP now.  I think I have a rule issue though - When I set the IP the packet tracer allows things to the internet but I cannot browse.  

Here is what I have done so far:

1.  Put the IP address in the PPPoE IP address and route settings dialog box.

2.  I put the net mask there (but it kicks it out as it expects 255.255.255.0 and mine is 255.255.255.248)

3.  Put a static route of 0 0 GW IP adress on the outside interface.

As I understand it that should work?

=================================================================

you need to add these commands in your ASA interface which is class as outside and connected to modem

!

interface gig0/1
 nameif outside
 security-level 0

!--- Specify a VPDN group for the PPPoE client

 pppoe client vpdn group CHN

 !--- "ip address pppoe [setroute]" !--- The setroute option sets the default routes when the PPPoE client has
 !--- not yet established a connection. When you use the setroute option, you
 !--- cannot use a statically defined route in the configuration.
 !--- PPPoE is not supported in conjunction with DHCP because with PPPoE
 !--- the IP address is assigned by PPP. The setroute option causes a default
 !--- route to be created if no default route exists.
 !--- Enter the ip address pppoe command in order to enable the
 !--- PPPoE client from interface configuration mode.

 ip address pppoe

!

you also need a nat rule. if you have configured the inside interface

!

interface gig0/2

 nameif inside

 ip address 192.168.1.0 255.255.255.0

 no shut

!

object network INTERNAL

 subnet 192.168.1.0 255.255.255.0

 nat (inside,outside) dynamic interface

!

I put the net mask there (but it kicks it out as it expects 255.255.255.0 and mine is 255.255.255.248)

is that the address from your modem to your ASA?

well thats weird - I think I did everything and it still doesnt exactly work.  here is the original Show Run:

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.7.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group qwest

ip address pppoe setroute

!

boot system disk0:/asa924-k8.bin

boot system disk0:/asa916-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging enable

logging buffer-size 1048576

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-761.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.200.0 255.255.255.0 inside

http 192.168.7.1 255.255.255.255 inside

http 192.168.7.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group qwest request dialout pppoe

vpdn group qwest localname essentialcfocent

vpdn group qwest ppp authentication pap

vpdn username ##### password *****

dhcpd lease 7200

!

dhcpd address 192.168.7.160-192.168.7.180 inside

dhcpd dns 192.168.7.31 192.168.7.16 interface inside

dhcpd lease 7200 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username *** password ****** encrypted privilege 15

username *** password *** encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:####

: end

When I make the changes I get these messages:

[OK] no vpdn group qwest ppp authentication pap

[OK] vpdn group qwest ppp authentication chap

[OK] Interface vlan2

      Interface vlan2

[WARNING] ip address  63.227.7.41 255.255.255.248 pppoe

                 Ignoring netmask. Netmask must be 255.255.255.255 for pppoe interface.

And here is the configuration after the changes:

ASA Version 9.2(4)

!

hostname homeASA

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group qwest

ip address xx.xxx.xx.xx 255.255.255.248 pppoe

!

boot system disk0:/asa924-k8.bin

boot system disk0:/asa916-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging enable

logging buffer-size 1048576

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-761.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

route inside 0.0.0.0 0.0.0.0 63.227.7.46 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.200.0 255.255.255.0 inside

http 192.168.7.1 255.255.255.255 inside

http 192.168.7.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh stricthostkeycheck

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group qwest request dialout pppoe

vpdn group qwest localname essentialcfocent

vpdn group qwest ppp authentication chap

vpdn username xxxxxx password *****

dhcpd lease 7200

!

dhcpd address 192.168.7.160-192.168.7.180 inside

dhcpd dns 192.168.7.31 192.168.7.16 interface inside

dhcpd lease 7200 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username xxxx password xxxxxx encrypted privilege 15

username xxx password xxxxxxx encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:xxxxxxxx

: end

homeASA(config-if)#

I think I did everything correctly?  Yet I cannot get through?

Thanks so much for the help btw.

change the bold statement.

dhcpd address 192.168.7.160-192.168.7.180 inside

dhcpd dns 192.168.7.16 192.168.7.31 interface inside

dhcpd lease 7200 interface inside

dhcpd enable inside

=====================================

give me the output of this command

packet tracer input inside tcp 192.168.7.165 12345 8.8.8.8. 443 det

homeASA(config)# packet-tracer input inside tcp 192.168.7.165 12345 8.8.8.8 44$

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

homeASA(config)#

But there is a route?  Is there a nat rule inside to outside that I am missing?

interface Ethernet0/0
 switchport access vlan 2
!
!

interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group qwest
ip address xx.xxx.xx.xx 255.255.255.248 pppoe
!

Your VLAN 2 is mapped with Eth0/0 (outside). how come your VLAN1 (inside) is not mapped to any interface? Am i
missing some thing here?

and why you having this route inside 0.0.0.0 0.0.0.0 63.227.7.46 1

it should be like this route outside 0.0.0.0 0.0.0 63.227.7.46, however having said that. if you put command in your outside interface as set-route than you dont need to define a route.

-------

run these command.

show nameif

show ip address

!

and give us the output.

show nameif
Interface Name Security
Vlan1 inside 100
Vlan2 outside 0
homeASA(config)# show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.7.1 255.255.255.0 manual
Vlan2 outside 63.227.7.41 255.255.255.248 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.7.1 255.255.255.0 manual

why you having this route inside 0.0.0.0 0.0.0.0 63.227.7.46 1

it should be like this route outside 0.0.0.0 0.0.0 63.227.7.46, however having said that. if you put command in your outside interface as set-route than you dont need to define a route.

Even when I put that route to outside it doesn't allow for connections.

Very strange - The packet tracer in asdm shows success when I put in packets to the outside but I just cannot get there.  I cannot even ping anything outside.

hi tom, you manage to sorted out your issue?

For anyone else who runs into this - radio_city nailed it.  

I found that my Public GW IP address became my firewalls IP address.  I did not need to put an IP address directly on the device in this instance.