Solved: PPPoE Client on ASA

joe.ho · ‎05-31-2012

I am setting up PPPoE client on the ASA trying to connect to a ADSL model. I can confirm the ADSL model is working fine with my laptop acting as the PPPoE client and I can get to the Internet (username and password are correct from ISP). I use the following config but I am not getting an IP address on the ASA. Am I missing something here? I put a parital config at the top and some show and debug command to follow. Below is the full show run. Thanks for you help.

PPPoE Config

vpdn group PPPOE request dialout pppoe
vpdn group PPPOE localname xxxx@bellnet.ca

vpdn group PPPOE ppp authentication chap
vpdn username xxxx@bellnet.ca password *****

!

interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PPPOE
ip address pppoe

CWMI-MAT-GW(config)# sh vpdn pppinterface

PPP virtual interface id = 1 was deleted and pending reuse
CWMI-MAT-GW(config)#

CWMI-MAT-GW(config)# show vpdn session state

%No active L2TP tunnels

%No active PPTP tunnels

PPPoE Session Information (Total tunnels=1 sessions=0)

SessID TunID Intf State Last Chg
3580 2 outside PADI_SENT 4714 secs

CWMI-MAT-GW(config)# sh vpdn tunnel pppoe state

PPPoE Tunnel Information (Total tunnels=1 sessions=0)

LocID RemID Last-Chg Sessions
2 0 1486 secs 1
CWMI-MAT-GW(config)#

CWMI-MAT-GW(config)# sh int ip b
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset up                    up
Ethernet0/1                unassigned      YES unset up                    up
Ethernet0/2                unassigned      YES unset down                  down
Ethernet0/3                unassigned      YES unset down                  down
Ethernet0/4                unassigned      YES unset down                  down
Ethernet0/5                unassigned      YES unset down                  down
Ethernet0/6                unassigned      YES unset down                  down
Ethernet0/7                unassigned      YES unset down                  down
Internal-Data0/0           unassigned      YES unset up                    up
Internal-Data0/1           unassigned      YES unset up                    up
Vlan1                      192.168.23.1    YES CONFIG up                    up
Vlan2                      unassigned      YES manual up                    up
Virtual0                   127.0.0.1       YES unset up                    up
CWMI-MAT-GW(config)#

CWMI-MAT-GW(config)# sh debug
debug ppp auth enabled at level 1
debug pppoe packet enabled at level 1
CWMI-MAT-GW(config)# PPPoE: send_padi:(Snd) Dest:ffff.ffff.ffff Src:001f.9e82.aa54 Type:0x8863=PPPoE-Discovery
PPPoE: Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
PPPoE: Type:0101:SVCNAME-Service Name Len:0
PPPoE: Type:0103:HOSTUNIQ-Host Unique Tag Len:4
PPPoE: 00000002

CWMI-MAT-GW(config)# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname CWMI-MAT-GW
domain-name map.priv
enable password ************* encrypted
passwd ********** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description To Internal
nameif inside
security-level 100
ip address 192.168.23.1 255.255.255.0
!
interface Vlan2
description To Internet
nameif outside
security-level 0
pppoe client vpdn group PPPOE
ip address pppoe setroute
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name map.priv
object-group icmp-type icmp_allowed
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
icmp-object echo
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.23.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.23.0 255.255.255.0 192.168.22.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.20.0 255.255.252.0 inside
snmp-server host inside 192.168.21.8 community *****
snmp-server location Skymark
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 173.46.12.26
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.20.0 255.255.252.0 inside
telnet timeout 5
ssh 192.168.20.0 255.255.252.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
console timeout 0
management-access inside
vpdn group PPPOE request dialout pppoe
vpdn group PPPOE localname xxxx@bellnet.ca
vpdn group PPPOE ppp authentication chap
vpdn username xxxx@bellnet.ca password *****
dhcpd dns 192.168.21.5 192.168.21.11
dhcpd domain map.priv
!
dhcpd address 192.168.23.201-192.168.23.254 inside
dhcpd enable inside
!

priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password ************* encrypted privilege 15
tunnel-group 173.46.1.26 type ipsec-l2l
tunnel-group 173.46.1.26 ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map Voice
match precedence 5
!
!
policy-map Voicepolicy
class Voice
priority
policy-map global-policy
class global-class
inspect ctiqbe
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect mgcp
inspect netbios
inspect rsh
inspect sip
inspect snmp
inspect sqlnet
inspect tftp
inspect xdmcp
!
service-policy global-policy global
service-policy Voicepolicy interface outside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:026e367c520e8a4c9e581ab925c8eccf
: end

Julio Carvajal · ‎05-31-2012

Hello Joe,

Is that the full output you get from the debug.

I mean I can see the firewall sending the PADI message witch is a brodcast send by the PPPoe client sent to the other devices out there.

But there is no PADO ( Offer from the Modem).

Is there a way you can reload the modem and let us know what happens,

The configuration looks fine,

FYI you do not have any route to the outside worl (default gateway) so you should set it manually

route outside 0 0 x.x.x.x.x

Regards,

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎05-31-2012

Hello Joe,

Is that the full output you get from the debug.

I mean I can see the firewall sending the PADI message witch is a brodcast send by the PPPoe client sent to the other devices out there.

But there is no PADO ( Offer from the Modem).

Is there a way you can reload the modem and let us know what happens,

The configuration looks fine,

FYI you do not have any route to the outside worl (default gateway) so you should set it manually

route outside 0 0 x.x.x.x.x

Regards,

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

joe.ho · ‎06-18-2012

Thanks for the advise Julio. Reboot the modem works.

For people who interested in the process. I didn't know which authentication type so I tried pap, chap, and mschap on the ASA but no luck. Debug on ASA doesn't tell me much. I have to use a router and debug to see what is going on. Router connected to PPPoE with issue and from the router debug I can see it is using pap. I switch back to the ASA using PAP and still no luck. Then I reboot the modem. After 3 to 5 min the ASA is connected. For some reason changing the authentication type on ASA is not as simple as the router. The modem doesn't pick up automatically.