05-25-2012 09:21 AM - edited 03-04-2019 04:28 PM
Hi, I'm sorry to ask, but have been battling with this for days now. I've been tasked with setting up an ASA 5505 on our ADSL modem & am very lost. I've put the PPPoE details into the ASA 5505 to authenticate with our ISP, but can't get out through it. I've looked at guides, videos, compared configs, but can't see where I'm going wrong. Can someone help please, I know it's supposed to be secure, but not quite this secure. I'm going crazy!
This is the current config...
: Saved
:
ASA Version 8.2(5)
!
hostname asa
enable password GuuH2OTIRWlZP8z3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ADSL
ip address pppoe setroute
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ADSL request dialout pppoe
vpdn group ADSL localname zen218339@zen
vpdn group ADSL ppp authentication chap
vpdn username zen218339@zen password ***** store-local
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:de68420cce338ff3b60f7b5ca5c35ce8
: end
no asdm history enable
Thanks.
05-25-2012 11:07 AM
John,
Your config looks fine to me. There are a couple of things that you'll need to do with your policy map. First of all, from the ASA, can you ping 4.2.2.1 successfully? If not, do a "vpdn session pppoe state" to see if your session is up. If you aren't up, the something is going on between the ASA and the provider. You could try changing the authentication to pap, because believe it or not there are still some providers out there that still use it.
Otherwise, if you CAN ping 4.2.2.1 successfully, then add the following:
policy-map global_policy
class inspection_default
inspect http
inspect icmp
See if that will get you out.
** Edit **
Make sure that you have a DNS server assigned to your clients as well:
dhcpd dns
HTH,
John
Please rate useful posts...
05-25-2012 11:35 AM
Hi John,
Please try this.
show route
and look for an output as shown below.
Gateway of last resort is 64.230.200.143 to network 0.0.0.0
In my case, my default-gateway happen to be at 64.230.200.143
If you still have the issue, then.
config just like I have on my ASA shown below and I do not have an SVI (vlan) interface for outside but rather, I go directly on the interface itself.
interface Ethernet0
nameif outside
security-level 0
pppoe client vpdn group bellnet
ip address pppoe setroute
vpdn group bellnet request dialout pppoe
vpdn group bellnet localname b1nkbaxx
vpdn group bellnet ppp authentication pap
vpdn username b1nkbaxx password ********* store-local
dhcpd dns 207.164.234.193 207.164.234.129
Let me know, if this helps.
thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide