Solved

PPPOE Static IP ASA5505 config for ATT DSL

Posted on 2009-04-14
8
4,885 Views
Last Modified: 2013-12-14
We have a working AT&T DSL line in a new facility.  We currently run a ASA5505 and it works fine.  We now need several static ip addresses so we ordered them through AT&T.  They sent them to us and told us they were good to go.  We even called and verified that they were ready and assigned to our user ID.  The modem they installed is in bridging mode and all the PPPoe config is done at the firewall.

Here is the working non-static config:  the Ips have been changed to protect their identity..lol

ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
enable password knVQLsp.3Bx635LI encrypted
passwd Uvwg2nW3FkbJWJGs encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address pppoe setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!            
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list Outside-In extended permit icmp any any
access-list Outside-In extended permit tcp any any eq 3230
access-list Outside-In extended permit tcp any any eq 3231
access-list Outside-In extended permit udp any any eq 3232
access-list Outside-In extended permit udp any any eq 3233
access-list Outside-In extended permit udp any any eq 3234
access-list Outside-In extended permit udp any any eq 3235
access-list Outside-In extended permit tcp any any eq 3389
access-list Outside-In extended permit tcp any any eq 3232
access-list Outside-In extended permit tcp any any eq 3233
access-list Outside-In extended permit tcp any any eq 3234
access-list Outside-In extended permit tcp any any eq 3235
access-list Outside-In extended permit udp any any eq 3230
access-list Outside-In extended permit udp any any eq 3231
access-list Outside-In extended permit tcp any any eq h323
access-list Outside-In extended permit udp any any eq 8767
access-list Outside-In extended permit tcp any any eq 3603
access-list Outside-In extended permit udp any any eq 1718
access-list Outside-In extended permit udp any any eq 1719
access-list Outside-In extended permit udp any any eq 3236
access-list Outside-In extended permit udp any any eq 3237
access-list Outside-In extended permit udp any any eq 3238
access-list Outside-In extended permit udp any any eq 3239
access-list Outside-In extended permit udp any any eq 3240
access-list Outside-In extended permit udp any any eq 3241
access-list Outside-In extended permit udp any any eq 3242
access-list Outside-In extended permit udp any any eq 3243
access-list Outside-In extended permit udp any any eq 3244
access-list Outside-In extended permit udp any any eq 324
access-list Outside-In extended permit udp any any eq 3245
access-list Outside-In extended permit udp any any eq 3246
access-list Outside-In extended permit udp any any eq 3247
access-list Outside-In extended permit udp any any eq 3248
access-list Outside-In extended permit udp any any eq 3249
access-list Outside-In extended permit udp any any eq 3250
access-list Outside-In extended permit udp any any eq 3251
access-list Outside-In extended permit udp any any eq 3252
access-list Outside-In extended permit udp any any eq 3253
access-list Outside-In extended permit tcp any any eq 1718
access-list Outside-In extended permit tcp any any eq 1719
access-list 101 extended permit ip any 192.168.9.0 255.255.255.0
access-list 101 extended permit ip 192.168.9.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list 102 extended permit ip 192.168.9.0 255.255.255.0 172.19.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Outside-In in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GGS esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set GGS
crypto map VPNMAP 125 match address 102
crypto map VPNMAP 125 set peer 200.200.200.200
crypto map VPNMAP 125 set transform-set GGS
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 60
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
vpdn group greensboro request dialout pppoe
vpdn group greensboro localname ggsi@att.net
vpdn group greensboro ppp authentication pap
vpdn username ggsi@att.net password ********* store-local
dhcpd auto_config outside
!

tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b42c3405efc97efcb9e31b3b2d73c181

___________________________

Now the block At&T gave us is...

10.54.47.8 - 10.54.47.15 / 255.255.255.248
They note the following...
10.54.47.8  (Network Useable)
10.54.47.9  (Gateway Useable)
10.54.47.10  First Useable
10.54.47.11
10.54.47.12
10.54.47.13
10.54.47.14  Last Useable
10.54.47.15  (Broadcast Useable)

of course this all makes sense but every time we switch the firewall over to the static it does not create the PPPoe session it shows as SESSION_SH as opposed to SESSION_UP

The lines we are adding to the config are.
_______________________
route outside 0.0.0.0 0.0.0.0 10.54.47.9 1
interface Vlan2
ip address 10.54.47.10 255.255.255.248 pppoe
________________________

We then write mem and restart the bridge and the firewall and it does not work.  when we reset back to the config above we are back in business.

I have called AT&T and they swear their system is setup correctly....
0
Comment
Question by:stuart100
  • 4
  • 3
8 Comments
 
LVL 5

Expert Comment

by:shirkan
ID: 24138322
Hi, 2 things i wonder, have u tried to just use

interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address 10.54.47.10 255.255.255.248 (without pppoe back here)

and also, if you use
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address pppoe setroute

what does it show under "show ip"
0
 

Author Comment

by:stuart100
ID: 24138447
Shirkan,

I have not tried the first of your two samples.  I will try that now...

As for the second
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address pppoe setroute

That is no different than what I have currently that works.  When we are running that config and do a show IP it does not show our static it shows one of their dynamic IPs and changes each time we restart the router and firewall.
0
 
LVL 5

Accepted Solution

by:
shirkan earned 500 total points
ID: 24139142
hm, strange, if it is setup with a static range, it really should be configured at the modem and you should only need to set the ip address on your vlan2 - i have some doubt that AT&T did this right.
Have you told them that you have a Cisco ASA and that it does not work the way they told you? They should be able to help you out since they are the only guys that really know whats going on inside their network.
0
 

Author Comment

by:stuart100
ID: 24139706
Yes we have told them and they told us that since we placed their modem in bridge mode (Past Through) that they do not support thrid party equipment. Although they also admitted that many businesses set their modem to pass through.   They did note that they have a department that we can pay to help us setup our firewall.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:stuart100
ID: 24140933
I tried the 1 option and it did not work...

interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group greensboro
 ip address 10.54.47.10 255.255.255.248 (without pppoe back here)

Sorry
0
 

Author Comment

by:stuart100
ID: 24144154
Ok so we hooked up a laptop and guess what?  The laptop did not work on the static either...  Called AT&T and all the sudden they found something wrong and had to recommit the IPs to our account which will be done tomorrow.

Also called Cisco and there is nothing wrong with the config...

Thanks for the help!
0
 
LVL 5

Expert Comment

by:shirkan
ID: 24148739
you are welcome, i figured something like that, that they missassigned the IP's to the wrong router LOL
0
 
LVL 7

Expert Comment

by:tolinrome
ID: 25262360
same thing with me.... Ive spent about 10 hours on the phone with at&t over a 3 day period. I kept telling them that the static ip range they gave me is inuse by someone else. I actually told them that if I RDP into the static it brings me to a server in a different company, different town. but of course they always say theyre right. Finally after 3 days they called me and told me that  the ip's they gave me were already assigned and gave me a new block, then after 24 hours they still werent activated when they said they were. You can never get a technical rep on the phone either, only level one which doesnt help.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now