DSL with PPPoE on PIX 501

msrohman · ‎02-07-2005

All,

I'm attempting to install a PIX 501 behind a Efficient Networks / Speedstream DSL 5100B modem. I can't get the Internet connection working.

I've set up many of these PIX firewall using PPPoE in the past. I don't think there is a problem with the config or the PIX, in general.

This is a new site and I'm not familiar with this DSL modem.

Has anyone had any success getting this DSL modem to work with the PIX 501. I'll deal with the VPN later, I'm just trying to get Interenet access for now.

As always, thanks for your help.

-Mike

thisisshanky · ‎02-07-2005

Plug a PC into the modem and see if you are able to get out to the internet. You might have to configure PPPOE on your PC. Can you paste your configs on the pix too ? I have used Speedstream DSL modems on two occasions and have been able to get it to work.

Here is a sample config for PIX for pppoe

## This will take care of PAT

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

## PPPOE config on the PIX

vpdn group Test request dialout pppoe

vpdn group Test localname

vpdn group Test ppp authentication pap

vpdn username password *********

## The command below will set the default route on pix to the one obtained via PPPOE

ip address outside pppoe setroute

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

mx · ‎02-07-2005

You will have to set the pix up for pppoe. If you do a "show int" are you getting an outside address?

Check out the "setroute" command for making the pix a pppoe client.

ip address outside pppoe setroute

also, check out http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801055dd.shtml

Bob

msrohman · ‎02-07-2005

How did you set up the Speedstream (5100b) DSL modem? I noticed there are only 3 settings for PPPoE capability.

Which one did you set on the modem?

Options: 1. Authentication on modem

2. Authentication on PC

3. Bridging only (on PPPoE)

Here is my config. But I think it's alright. I'm more concerned with the DSL modem at this point.

//Output of PIX config

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname F254gk01

domain-name sonoco.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list nonat permit ip 192.168.78.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list Hatsville permit ip 192.168.78.0 255.255.255.0 10.0.0.0 255.0.0.0

pager lines 24

logging on

logging buffered debugging

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.78.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

outbound 10 deny 0.0.0.0 0.0.0.0 0 udp

outbound 10 except 10.0.0.0 255.0.0.0 0 udp

outbound 11 deny 0.0.0.0 0.0.0.0 0 tcp

outbound 11 except 10.0.0.0 255.0.0.0 0 tcp

outbound 11 except 0.0.0.0 0.0.0.0 80 tcp

outbound 11 except 0.0.0.0 0.0.0.0 21 tcp

outbound 11 except 0.0.0.0 0.0.0.0 23 tcp

outbound 11 except 0.0.0.0 0.0.0.0 443 tcp

outbound 12 deny 0.0.0.0 0.0.0.0 0 icmp

outbound 12 except 10.0.0.0 255.0.0.0 0 icmp

apply (inside) 12 outgoing_src

apply (inside) 11 outgoing_src

apply (inside) 10 outgoing_src

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set standard esp-des esp-sha-hmac

crypto map corporate 10 ipsec-isakmp

crypto map corporate 10 match address Hatsville

crypto map corporate 10 set peer

crypto map corporate 10 set transform-set standard

crypto map corporate interface outside

isakmp enable outside

isakmp key ******** address netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet 192.168.78.0 255.255.255.0 inside

telnet timeout 60

ssh timeout 60

vpdn group bellsouth request dialout pppoe

vpdn group bellsouth localname user1@bellsouth.net

vpdn group bellsouth ppp authentication chap

vpdn username user1@bellsouth.net password *********

dhcpd address 192.168.78.200-192.168.78.231 inside

dhcpd dns 10.1.45.30 1.10.45.30

dhcpd wins 10.1.45.31 1.10.45.31

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain somedomain.com

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

thisisshanky · ‎02-07-2005

You can set it to bridged mode if you are enabling PPPOE on PIX. Your configs seem ok to me.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

sahim_sahim · ‎02-10-2005

how to recover password of cisco pix 501

travis-dennis_2 · ‎02-10-2005

Here is a link to password recovery on a PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a008009478b.shtml

Hope this helps.

Please remember to rate all replies

sahim_sahim · ‎02-12-2005

Thanks a lot this was absolutely which i was trying to find out

I have 1 more question suppose i have 2 offices and i dont want to take leased or dialup and i want to use dsl (via internet) .Does i require static IP which isp will provide and i need to pay for that static ip seperate.

thanks