How to assign a PIX Firewall an outside interface IP address with DHCP or PPPOE

TCC_2 · ‎06-22-2009

Core issue

Sometimes it is necessary to configure a PIX to dynamically obtain an outside interface IP address.

Resolution

To configure the PIX Firewall to dynamically obtain an IP address for the outside interface, use either:

DHCP
Point-to-Point Protocol over Ethernet (PPPOE)

Note: DHCP does not require a username and password, while PPPOE does. If your Internet Service Provider (ISP) has provided a username and password, it is likely PPPOE is currently being used.

To configure the outside interface for DHCP, issue the ip address outside dhcp retry 5 command.

For DHCP, do not add a default gateway statically; instead add a default route to the configuration with the [setroute] option in the ip address command. For example, to configure the outside interface for DHCP and add a default route to the PIX, issue the ip address outside dhcp setroute retry 5 command.

Configuration of the outside interface for PPPOE is more complex. In this configuration example, sanjose is the username and cisco123 is the password provided by the ISP:

   ip address outside pppoe setroute
   ! --- Specify PPPOE as the method to obtain the address for the outside interface.
   vpdn group xyz request dialout pppoe
   vpdn group xyz localname sanjose
   ! --- Note that the localname (sanjose) is the username the ISP provided.  
   vpdn group xyz ppp authentication pap
   vpdn username sanjose password cisco123
   ! --- Note that the password (cisco123) is the password the ISP provided.

If the PIX is configured properly, and there are still problems obtaining an address, check the cables. If necessary, use a different cable. Also, verify the configuration of the DHCP server or PPPOE endpoint.