cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
969
Views
0
Helpful
2
Replies

Can't get through ASA 5505

John.Carson.75
Level 1
Level 1

Hi, I'm sorry to ask, but have been battling with this for days now.  I've been tasked with setting up an ASA 5505 on our ADSL modem & am very lost.  I've put the PPPoE details into the ASA 5505 to authenticate with our ISP, but can't get out through it.  I've looked at guides, videos, compared configs, but can't see where I'm going wrong.  Can someone help please, I know it's supposed to be secure, but not quite this secure.  I'm going crazy!

This is the current config...

: Saved
:
ASA Version 8.2(5)
!
hostname asa
enable password GuuH2OTIRWlZP8z3 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ADSL
ip address pppoe setroute
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ADSL request dialout pppoe
vpdn group ADSL localname zen218339@zen
vpdn group ADSL ppp authentication chap
vpdn username zen218339@zen password ***** store-local
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:de68420cce338ff3b60f7b5ca5c35ce8
: end
no asdm history enable

Thanks.

2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

John,

Your config looks fine to me. There are a couple of things that you'll need to do with your policy map. First of all, from the ASA, can you ping 4.2.2.1 successfully? If not, do a "vpdn session pppoe state" to see if your session is up. If you aren't up, the something is going on between the ASA and the provider. You could try changing the authentication to pap, because believe it or not there are still some providers out there that still use it.

Otherwise, if you CAN ping 4.2.2.1 successfully, then add the following:

policy-map global_policy

class inspection_default

inspect http

inspect icmp

See if that will get you out.

** Edit **

Make sure that you have a DNS server assigned to your clients as well:

dhcpd dns

HTH,

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***

rizwanr74
Level 7
Level 7

Hi John,

Please try this.

show route

and look for an output as shown below.

Gateway of last resort is 64.230.200.143 to network 0.0.0.0

In my case, my default-gateway happen to be at 64.230.200.143

If you still have the issue, then.

config just like I have on my ASA shown below and I do not have an SVI (vlan) interface for outside but rather, I go directly on the interface itself.

interface Ethernet0

nameif outside

security-level 0

pppoe client vpdn group bellnet

ip address pppoe setroute

vpdn group bellnet request dialout pppoe

vpdn group bellnet localname b1nkbaxx

vpdn group bellnet ppp authentication pap

vpdn username b1nkbaxx password ********* store-local

dhcpd dns 207.164.234.193 207.164.234.129

Let me know, if this helps.

thanks

Rizwan Rafeek

Review Cisco Networking for a $25 gift card