08-28-2012 11:18 PM - edited 03-11-2019 04:47 PM
My ISP requires a PPPoE tunnel to connect and the modem I use is in Transparent bridging mode. If I connect a dedicated interface and specify the network/IP and use NAT, I can connect to the modem management. However, this isn't my preferred setup as my previous cable ISP used DHCP and any routed traffic out the outside interface destined to 192.168.100.1 would be responded to by the cable modem. I'm assuming that since the traffic with PPPoE is encapsulated, the modem is forwarding everything right out to the link since I get an ISP router responding with traffic destined 192.168.0.1 no route to host.
Is there a way to exclude 192.168.0.0/24 from being encapsulated by PPPoE while all other traffic isn't? If I have to have multiple vlans to do this properly that is fine, I'm just lost in finding a way to use one physical port on my ASA 5505. Setting trunking with with either the outside or modem vlan as native on the interface doesn't appear to allow the modem to connect unless outside is the native vlan
Thanks for any help.
09-01-2012 09:25 AM
Hi Bro
Yes, in the old/former way of doing things, the PPPoE is being handled by the Modem, provided by your ISP. For this reason, your Cisco Firewall OUTSIDE interface is able to grab a dynamic private IP Address i.e. 192.168.0.XXX/24 from the Modem (acting as the DHCP server). With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now browse the internet and also access the Modem’s management webpage.
Now, the PPPoE is being handled by your Cisco Firewall directly. This means, your Cisco Firewall OUTSIDE interface will now grab a dynamic public IP Address from your ISP directly, via your Modem (acting as transparent/bridging device). With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now browse the internet but cannot access the Modem’s management webpage anymore. This is because the LAN users will appear as public IP, while your Modem is still on private IP, no route. There’s no way to exclude 192.168.0.XXX/24 from being encapsulated by PPPoE.
What I have in mind for you is, use another spare interface in your Cisco Firewall, and connect it directly to the Modem. This interface is strictly for the Modem’s management purposes. With dynamic NAT being enabled in your Cisco Firewall, LAN users on the INSIDE of your Cisco Firewall can now access the Modem’s management webpage.
Here’s a sample;
!
interface Vlan3
nameif outside
security-level 0
pppoe client vpdn group TEST
ip address pppoe setroute
!
interface Vlan2
nameif mgmt
security-level 10
ip address 192.168.0.10 255.255.255.0
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.10 255.255.255.0
!
interface Ethernet0/0
description ### Link to Modem for Internet ###
switchport access vlan 3
!
interface Ethernet0/1
description ### Link to Modem's Management Port for Management Purposes ###
switchport access vlan 2
!
interface Ethernet0/2
description ### Link to L2 LAN Hub/Switch ###
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
mtu outside 1492
mtu inside 1500
!
global (outside) 1 interface
global (mgmt) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!
vpdn group TEST request dialout pppoe
vpdn group TEST localname cisco
vpdn group TEST ppp authentication pap
vpdn username cisco password cisco123
!
access-list inside extended permit ip any any
access-list mgmt extended permit ip any any
access-list outside extended permit ip any any
access-group inside in interface inside
access-group outside in interface outside
access-group mgmt in interface mgmt
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide