Configuring pix 501 using pppoe

Posted on 2005-04-11
Last Modified: 2008-03-04
Ok.. First off. I do not know much at all about PIX configuration so please be easy on me if this is an easy fix.
Basically, I am trying to configure this pix correctly so I can access the internet, etc. I connect using pppoe and I am pretty sure that I set it up correctly in the config. I will paste it below. I just have one machine that I want to have access to the outside world. I can not ping ANYTHING beyond the firewall. I have a speed stream modem that SBC provided. Please let me know if there is any more information you need in order to help me out with this problem. Thanks!

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UI2uR.nM.8BH3.zE encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname lhuckaby
vpdn group ISP ppp authentication pap
vpdn username lhuckaby password ********
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 100
Question by:onsite_tech
    LVL 7

    Expert Comment

    Without access lists, no pings will go thru.

    access-list inbound permit icmp any any

    access-group inbound in interface outside

    That would allow pings through.

    The pppoe stuff looks good.
    LVL 10

    Expert Comment

    This article explain everything you need to know about how to setup a 501 to use your pppoe client on a pix 501.
    LVL 1

    Author Comment

    Ok... To minmei.... I did not think that I would have to set up access list to ping outside of the network... I thought that by default all traffic can go out but not come back in unless you initialize the connection first. So what I can't figure out is why can't I get to the outside world??? If someone could look at my config and tell me why, it would be great. IT is becoming so frustrating because I have wasted a LOT of hours trying to get it to work. Any ideas would be greatly appreciated.Thanks
    LVL 7

    Expert Comment

    You are correct for tcp and udp ports, if the session is initiated from the inside, the PIX lets the traffic back. ICMP needs to be explicit, tho.

    Is the speed stream modem doing pppoe? Last customer I had with this config had the hardest time taking pppoe off the speedstream so the PIX could do it.

    If you plug in a PC directly behind the speedstream does it get an ip and get out to the internet?
    LVL 1

    Author Comment

    Yes, when I plug my laptop directly behing the modem, I get an IP and I am able to access the internet. As soon as I hook up the Firewall, I can  no longer access anything.  I accessed the modem and it is set to PPPOE. Would I change this and if so what would I change it to?  Any other ideas would be greatly appreciated!

    LVL 7

    Expert Comment

    If you give me the model number of the speedstream I could get you the docs and try to lead you through the config...

    The PIX will never work doing PPPOE is the speedstream is already doing it.

    We could try another way and set up the pix behind the speedstream without pppoe. Your call.
    LVL 1

    Author Comment

    Oh thank you.. I have a speed stream 5100.... Which ever way yout think is easiest. :)

    LVL 7

    Accepted Solution

    Here's the info on how to turn the ss5100 into an ethernet bridge to allow the PIX to do pppoe:

    How can I put the 5100b in bridge mode? (#8722)  
    A: The modem itself, with the shipped firmware, supports 3 modes; PPPoE on board, Bridge mode, Bridge mode with IP Address pass Issuance. To put the modem in Bridge modem do the following:

    1. In your web browser browse to » This address will be located on a yellow sticker on the bottom of your modem.

    2. The first screen will ask you for your Modem Access Code. This also will be located on the same yellow sticker.

    3. Select Advanced from the blue buttons on the left.

    4. Click the PPP locations button.

    5. The modem may ask your for the Modem Access Code again. If so type it in again and click continue.

    6. Select the radio button labeled, "Bridged Mode (PPPoE is not used)"

    7. Click Save Changes.

    8. A "PPP Location Warning" page will come up. Click "Change PPP Location."

    9. A "Restart Needed" page will come up. Click "Restart"

    10. Reboot your computer and router (if applicable.) You will now need some form of PPPoE software on your computer or a router that supports PPPoE. Be warned that even if you are using Enternet 300 or XP/OSX's built in PPPoE SBC tech support will not troubleshoot connectivity issues until you have put your modem back in PPPoE on board mode.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now