Link to home
Start Free TrialLog in
Avatar of stuart100
stuart100

asked on

PPPOE Static IP ASA5505 config for ATT DSL

We have a working AT&T DSL line in a new facility.  We currently run a ASA5505 and it works fine.  We now need several static ip addresses so we ordered them through AT&T.  They sent them to us and told us they were good to go.  We even called and verified that they were ready and assigned to our user ID.  The modem they installed is in bridging mode and all the PPPoe config is done at the firewall.

Here is the working non-static config:  the Ips have been changed to protect their identity..lol

ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
enable password knVQLsp.3Bx635LI encrypted
passwd Uvwg2nW3FkbJWJGs encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address pppoe setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!            
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list Outside-In extended permit icmp any any
access-list Outside-In extended permit tcp any any eq 3230
access-list Outside-In extended permit tcp any any eq 3231
access-list Outside-In extended permit udp any any eq 3232
access-list Outside-In extended permit udp any any eq 3233
access-list Outside-In extended permit udp any any eq 3234
access-list Outside-In extended permit udp any any eq 3235
access-list Outside-In extended permit tcp any any eq 3389
access-list Outside-In extended permit tcp any any eq 3232
access-list Outside-In extended permit tcp any any eq 3233
access-list Outside-In extended permit tcp any any eq 3234
access-list Outside-In extended permit tcp any any eq 3235
access-list Outside-In extended permit udp any any eq 3230
access-list Outside-In extended permit udp any any eq 3231
access-list Outside-In extended permit tcp any any eq h323
access-list Outside-In extended permit udp any any eq 8767
access-list Outside-In extended permit tcp any any eq 3603
access-list Outside-In extended permit udp any any eq 1718
access-list Outside-In extended permit udp any any eq 1719
access-list Outside-In extended permit udp any any eq 3236
access-list Outside-In extended permit udp any any eq 3237
access-list Outside-In extended permit udp any any eq 3238
access-list Outside-In extended permit udp any any eq 3239
access-list Outside-In extended permit udp any any eq 3240
access-list Outside-In extended permit udp any any eq 3241
access-list Outside-In extended permit udp any any eq 3242
access-list Outside-In extended permit udp any any eq 3243
access-list Outside-In extended permit udp any any eq 3244
access-list Outside-In extended permit udp any any eq 324
access-list Outside-In extended permit udp any any eq 3245
access-list Outside-In extended permit udp any any eq 3246
access-list Outside-In extended permit udp any any eq 3247
access-list Outside-In extended permit udp any any eq 3248
access-list Outside-In extended permit udp any any eq 3249
access-list Outside-In extended permit udp any any eq 3250
access-list Outside-In extended permit udp any any eq 3251
access-list Outside-In extended permit udp any any eq 3252
access-list Outside-In extended permit udp any any eq 3253
access-list Outside-In extended permit tcp any any eq 1718
access-list Outside-In extended permit tcp any any eq 1719
access-list 101 extended permit ip any 192.168.9.0 255.255.255.0
access-list 101 extended permit ip 192.168.9.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list 102 extended permit ip 192.168.9.0 255.255.255.0 172.19.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Outside-In in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GGS esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set GGS
crypto map VPNMAP 125 match address 102
crypto map VPNMAP 125 set peer 200.200.200.200
crypto map VPNMAP 125 set transform-set GGS
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 60
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
vpdn group greensboro request dialout pppoe
vpdn group greensboro localname ggsi@att.net
vpdn group greensboro ppp authentication pap
vpdn username ggsi@att.net password ********* store-local
dhcpd auto_config outside
!

tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b42c3405efc97efcb9e31b3b2d73c181

___________________________

Now the block At&T gave us is...

10.54.47.8 - 10.54.47.15 / 255.255.255.248
They note the following...
10.54.47.8  (Network Useable)
10.54.47.9  (Gateway Useable)
10.54.47.10  First Useable
10.54.47.11
10.54.47.12
10.54.47.13
10.54.47.14  Last Useable
10.54.47.15  (Broadcast Useable)

of course this all makes sense but every time we switch the firewall over to the static it does not create the PPPoe session it shows as SESSION_SH as opposed to SESSION_UP

The lines we are adding to the config are.
_______________________
route outside 0.0.0.0 0.0.0.0 10.54.47.9 1
interface Vlan2
ip address 10.54.47.10 255.255.255.248 pppoe
________________________

We then write mem and restart the bridge and the firewall and it does not work.  when we reset back to the config above we are back in business.

I have called AT&T and they swear their system is setup correctly....
Avatar of Markus Braun
Markus Braun
Flag of Germany image
Hi, 2 things i wonder, have u tried to just use

interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address 10.54.47.10 255.255.255.248 (without pppoe back here)

and also, if you use
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address pppoe setroute

what does it show under "show ip"
Avatar of stuart100
stuart100

ASKER

Shirkan,

I have not tried the first of your two samples.  I will try that now...

As for the second
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address pppoe setroute

That is no different than what I have currently that works.  When we are running that config and do a show IP it does not show our static it shows one of their dynamic IPs and changes each time we restart the router and firewall.
ASKER CERTIFIED SOLUTION
Avatar of Markus Braun
Markus Braun
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of stuart100
stuart100

ASKER

Yes we have told them and they told us that since we placed their modem in bridge mode (Past Through) that they do not support thrid party equipment. Although they also admitted that many businesses set their modem to pass through.   They did note that they have a department that we can pay to help us setup our firewall.
Avatar of stuart100
stuart100

ASKER

I tried the 1 option and it did not work...

interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address 10.54.47.10 255.255.255.248 (without pppoe back here)

Sorry
Avatar of stuart100
stuart100

ASKER

Ok so we hooked up a laptop and guess what?  The laptop did not work on the static either...  Called AT&T and all the sudden they found something wrong and had to recommit the IPs to our account which will be done tomorrow.

Also called Cisco and there is nothing wrong with the config...

Thanks for the help!
Avatar of Markus Braun
Markus Braun
Flag of Germany image
you are welcome, i figured something like that, that they missassigned the IP's to the wrong router LOL
Avatar of tolinrome
tolinrome
Flag of United States of America image
same thing with me.... Ive spent about 10 hours on the phone with at&t over a 3 day period. I kept telling them that the static ip range they gave me is inuse by someone else. I actually told them that if I RDP into the static it brings me to a server in a different company, different town. but of course they always say theyre right. Finally after 3 days they called me and told me that  the ip's they gave me were already assigned and gave me a new block, then after 24 hours they still werent activated when they said they were. You can never get a technical rep on the phone either, only level one which doesnt help.