07-25-2011 07:55 AM - edited 03-11-2019 02:03 PM
Guys,
Hope someone can assist, suspect it's a fairly simple issue that will highlight my lack of knowledge rather than anything else!
We have a BT Infinity broadband circuit which terminates at a vdsl modem, I've plugged an ASA 5505 into the back of this modem and gone through the ADSM quick setup wizard (yes I'm that much of a beginner!) The config that's been generated is pasted below, the symptomns I'm seeing are;
The ASA is setup with PPPOE on the internet connection, I assume this is correct as if I do a show IP on the ASA I'm getting an IP address that has been assigned, if I change the password to the wrong one then I get no IP (as expected).
If I ping from the ASA to an internet connection I'm getting "no route" error messages, if I try a "ping outside x.x.x.x" then I get no repsonses.
The ASA can ping it's external IP, the client machines can ping it's internal, however nothing appears to be able to get out.
Unfortunately this thing isn't based on the site I'm located at and is a pain to get to, so if anyone can find the fault that's brilliant, hiowever if possible and people have further questions that's great but can you also give some options on what to do depending on the answers as I'm hoping to only go back to site once!
ASA Version 8.4(1)
!
hostname xxxxxx
enable password xxxxxx encrypted
passwd xxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.200.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group Infinity
ip address pppoe
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Infinity request dialout pppoe
vpdn group Infinity localname xxxxxx@hg43.btclick.com
vpdn group Infinity ppp authentication chap
vpdn username xxxxxx@hg43.btclick.com password *****
dhcpd auto_config outside
!
dhcpd address 192.168.200.7-192.168.200.134 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
04-21-2013 11:49 AM
11-07-2013 03:25 AM
The one thing many BT customers with static IP seem to be missing in the PPPoE - ASA equation is the "pppoe" option on the end of the ip address command. BT seem not to provide fixed IP based on the credentials, at least with some services, so it must be specified in the ip address command, which will then disable triggering pppoe negotiation because its no longer "ip address pppoe [setroute]". The "pppoe" option will again trigger that negotiation:
interface vlan1
ip address 81.137.x.x 255.255.255.248 pppoe setroute
will do the job nicely. May not be directly reselant to this question, but many seem to have this problem due to missing this command.
peter
10-18-2016 09:16 AM
Peter,
Thanks - this was driving me absolutely insane with the random "PFC Identity" error the ASA kept throwing up when I tried to do this by setting my equivalent 81.137.x.x/29 Static IP Range as a DMZ Interface. Apparently that's the ASA's way of telling you it didn't like the fact the traffic came in to a local interface it has, ingressed from another interface (i.e. uRPF/Reverse Path Forwarding checks).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide