How to configure Cisco 877 in half-bridge mode

lap · ‎02-17-2011

Hi all,

I want to achieve the following setup:

So basically I have a C877 and a Cisco ASA 5505 and I want to push the public IP of the ISP to the outside interface of the ASA so the Cisco 877 will only be responsible for ADSL and PPPoA. Don't ask me why I don' t use a modem/router instead. I know that is a waste to use the C877 in this way but I want to test the setup.

Right now the config of the C877 regarding ADSL and PPPoA looks like that ( I don't have the ASA connected yet, so all the PC are connected directly to the C877 right now):

interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1

interface Dialer1
ip address x.x.x.x 255.255.255.248
ip access-group OUTSIDEACL in
ip nat outside
ip inspect FWRule out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxx
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxx password 0 xxxxxxx

ip route 0.0.0.0 0.0.0.0 dialer 1

ip nat inside source route-map Nat interface Dialer1 overload

interface vlan 100 is my LAN configured with DHCP.

Has anyone any idea on how I should configure the C877 to push the public IP to the ASA?

Thanks in advance

Regards,

Laurent

lap · ‎02-18-2011

Hi,

Any ideas guys how I can realize this setup?

Regards,

Laurent

lap · ‎02-19-2011

H Guys,

No one?

I was thinking of doing that:

interface ATM0
no ip address
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl bitswap both
bridge-group 10

interface Dialer1
no ip address
ip virtual-reassembly
encapsulation ppp
no ip route-cache
dialer pool 1
ppp authentication chap pap callin
ppp pap sent-username X password 0 X
bridge-group 10

interface Vlan400
description ***Interface conneted to ASA***

no ip address
no ip route-cache
bridge-group 10

no ip routing

bridge 10 protocol ieee

On the ASA configure the OUTSIDE interface with the public IP but it is not working. I miss for sure something.

Any ideas?

Regards,

Laurent

lap · ‎02-20-2011

Hi Guys,

I forgot to mention that I only have one public IP (/32).

Regards,

Laurent

lap · ‎02-25-2011

Hi Guys,

No ideas?

Regards,

Laurent

snarahar · ‎03-09-2011

Hi Laurent,

I understand what you are trying to achieve, but I don't think this can be made to work. Let me explain why. First, lets review your topology:

ASA-----877------ISP

Suppose you set a static public IP on the ASA. For the ASA to be able to ping/communicate with the ISP, the first requirement is that the the ASA's IP needs to be on the same subnet as the ISP. Assuming that it is, then the next requirement is that the ISP should respond to arp.

Lets consider an example with ASA IP (not public, simply for example sake) is 10.1.1.5 and the ISP's IP is 10.1.1.1. When 10.1.1.5 (the ASA) tries to send packets to 10.1.1.1, it will first need to resolve its layer 2 address. However, ISPs may not respond to that. In our topology, if the ISP-side router happened to be a Cisco router, then this could be achieved by adding "ppp bridge ip" on the ISP interface facing your 877. What I've found when trying similar scenarios in the lab is that if "ppp bridge ip" is configured, the ISP will actually respond to the arp requests sent by the ASA.

The problem here is that you don't control the ISP router, of course. In this case, I am not sure if this configuration can be made to work given the routers in the setup. I know that this input may not be what you are looking for, but I'm simply sharing what I have found up until this point.

Regards,

Sridhar

lap · ‎03-15-2011

Hi Sridhar,

Thanks a lot for your post.

Do you have any configuration example regarding my setup. How I should configure the C877?

If one can configure a Zyxel to half-bridge I guess it may be possible with a Cisco 877?

Let me know.

Regards,

Laurent