stuart100
asked on
PPPOE Static IP ASA5505 config for ATT DSL
We have a working AT&T DSL line in a new facility. We currently run a ASA5505 and it works fine. We now need several static ip addresses so we ordered them through AT&T. They sent them to us and told us they were good to go. We even called and verified that they were ready and assigned to our user ID. The modem they installed is in bridging mode and all the PPPoe config is done at the firewall.
Here is the working non-static config: the Ips have been changed to protect their identity..lol
ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
enable password knVQLsp.3Bx635LI encrypted
passwd Uvwg2nW3FkbJWJGs encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group greensboro
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list Outside-In extended permit icmp any any
access-list Outside-In extended permit tcp any any eq 3230
access-list Outside-In extended permit tcp any any eq 3231
access-list Outside-In extended permit udp any any eq 3232
access-list Outside-In extended permit udp any any eq 3233
access-list Outside-In extended permit udp any any eq 3234
access-list Outside-In extended permit udp any any eq 3235
access-list Outside-In extended permit tcp any any eq 3389
access-list Outside-In extended permit tcp any any eq 3232
access-list Outside-In extended permit tcp any any eq 3233
access-list Outside-In extended permit tcp any any eq 3234
access-list Outside-In extended permit tcp any any eq 3235
access-list Outside-In extended permit udp any any eq 3230
access-list Outside-In extended permit udp any any eq 3231
access-list Outside-In extended permit tcp any any eq h323
access-list Outside-In extended permit udp any any eq 8767
access-list Outside-In extended permit tcp any any eq 3603
access-list Outside-In extended permit udp any any eq 1718
access-list Outside-In extended permit udp any any eq 1719
access-list Outside-In extended permit udp any any eq 3236
access-list Outside-In extended permit udp any any eq 3237
access-list Outside-In extended permit udp any any eq 3238
access-list Outside-In extended permit udp any any eq 3239
access-list Outside-In extended permit udp any any eq 3240
access-list Outside-In extended permit udp any any eq 3241
access-list Outside-In extended permit udp any any eq 3242
access-list Outside-In extended permit udp any any eq 3243
access-list Outside-In extended permit udp any any eq 3244
access-list Outside-In extended permit udp any any eq 324
access-list Outside-In extended permit udp any any eq 3245
access-list Outside-In extended permit udp any any eq 3246
access-list Outside-In extended permit udp any any eq 3247
access-list Outside-In extended permit udp any any eq 3248
access-list Outside-In extended permit udp any any eq 3249
access-list Outside-In extended permit udp any any eq 3250
access-list Outside-In extended permit udp any any eq 3251
access-list Outside-In extended permit udp any any eq 3252
access-list Outside-In extended permit udp any any eq 3253
access-list Outside-In extended permit tcp any any eq 1718
access-list Outside-In extended permit tcp any any eq 1719
access-list 101 extended permit ip any 192.168.9.0 255.255.255.0
access-list 101 extended permit ip 192.168.9.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list 102 extended permit ip 192.168.9.0 255.255.255.0 172.19.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Outside-In in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GGS esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set GGS
crypto map VPNMAP 125 match address 102
crypto map VPNMAP 125 set peer 200.200.200.200
crypto map VPNMAP 125 set transform-set GGS
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 60
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
vpdn group greensboro request dialout pppoe
vpdn group greensboro localname ggsi@att.net
vpdn group greensboro ppp authentication pap
vpdn username ggsi@att.net password ********* store-local
dhcpd auto_config outside
!
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b42c3405efc 97efcb9e31 b3b2d73c18 1
__________________________ _
Now the block At&T gave us is...
10.54.47.8 - 10.54.47.15 / 255.255.255.248
They note the following...
10.54.47.8 (Network Useable)
10.54.47.9 (Gateway Useable)
10.54.47.10 First Useable
10.54.47.11
10.54.47.12
10.54.47.13
10.54.47.14 Last Useable
10.54.47.15 (Broadcast Useable)
of course this all makes sense but every time we switch the firewall over to the static it does not create the PPPoe session it shows as SESSION_SH as opposed to SESSION_UP
The lines we are adding to the config are.
_______________________
route outside 0.0.0.0 0.0.0.0 10.54.47.9 1
interface Vlan2
ip address 10.54.47.10 255.255.255.248 pppoe
________________________
We then write mem and restart the bridge and the firewall and it does not work. when we reset back to the config above we are back in business.
I have called AT&T and they swear their system is setup correctly....
Here is the working non-static config: the Ips have been changed to protect their identity..lol
ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
enable password knVQLsp.3Bx635LI encrypted
passwd Uvwg2nW3FkbJWJGs encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group greensboro
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list Outside-In extended permit icmp any any
access-list Outside-In extended permit tcp any any eq 3230
access-list Outside-In extended permit tcp any any eq 3231
access-list Outside-In extended permit udp any any eq 3232
access-list Outside-In extended permit udp any any eq 3233
access-list Outside-In extended permit udp any any eq 3234
access-list Outside-In extended permit udp any any eq 3235
access-list Outside-In extended permit tcp any any eq 3389
access-list Outside-In extended permit tcp any any eq 3232
access-list Outside-In extended permit tcp any any eq 3233
access-list Outside-In extended permit tcp any any eq 3234
access-list Outside-In extended permit tcp any any eq 3235
access-list Outside-In extended permit udp any any eq 3230
access-list Outside-In extended permit udp any any eq 3231
access-list Outside-In extended permit tcp any any eq h323
access-list Outside-In extended permit udp any any eq 8767
access-list Outside-In extended permit tcp any any eq 3603
access-list Outside-In extended permit udp any any eq 1718
access-list Outside-In extended permit udp any any eq 1719
access-list Outside-In extended permit udp any any eq 3236
access-list Outside-In extended permit udp any any eq 3237
access-list Outside-In extended permit udp any any eq 3238
access-list Outside-In extended permit udp any any eq 3239
access-list Outside-In extended permit udp any any eq 3240
access-list Outside-In extended permit udp any any eq 3241
access-list Outside-In extended permit udp any any eq 3242
access-list Outside-In extended permit udp any any eq 3243
access-list Outside-In extended permit udp any any eq 3244
access-list Outside-In extended permit udp any any eq 324
access-list Outside-In extended permit udp any any eq 3245
access-list Outside-In extended permit udp any any eq 3246
access-list Outside-In extended permit udp any any eq 3247
access-list Outside-In extended permit udp any any eq 3248
access-list Outside-In extended permit udp any any eq 3249
access-list Outside-In extended permit udp any any eq 3250
access-list Outside-In extended permit udp any any eq 3251
access-list Outside-In extended permit udp any any eq 3252
access-list Outside-In extended permit udp any any eq 3253
access-list Outside-In extended permit tcp any any eq 1718
access-list Outside-In extended permit tcp any any eq 1719
access-list 101 extended permit ip any 192.168.9.0 255.255.255.0
access-list 101 extended permit ip 192.168.9.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list 102 extended permit ip 192.168.9.0 255.255.255.0 172.19.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Outside-In in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.9.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GGS esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set GGS
crypto map VPNMAP 125 match address 102
crypto map VPNMAP 125 set peer 200.200.200.200
crypto map VPNMAP 125 set transform-set GGS
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 60
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
vpdn group greensboro request dialout pppoe
vpdn group greensboro localname ggsi@att.net
vpdn group greensboro ppp authentication pap
vpdn username ggsi@att.net password ********* store-local
dhcpd auto_config outside
!
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b42c3405efc
__________________________
Now the block At&T gave us is...
10.54.47.8 - 10.54.47.15 / 255.255.255.248
They note the following...
10.54.47.8 (Network Useable)
10.54.47.9 (Gateway Useable)
10.54.47.10 First Useable
10.54.47.11
10.54.47.12
10.54.47.13
10.54.47.14 Last Useable
10.54.47.15 (Broadcast Useable)
of course this all makes sense but every time we switch the firewall over to the static it does not create the PPPoe session it shows as SESSION_SH as opposed to SESSION_UP
The lines we are adding to the config are.
_______________________
route outside 0.0.0.0 0.0.0.0 10.54.47.9 1
interface Vlan2
ip address 10.54.47.10 255.255.255.248 pppoe
________________________
We then write mem and restart the bridge and the firewall and it does not work. when we reset back to the config above we are back in business.
I have called AT&T and they swear their system is setup correctly....
ASKER
Shirkan,
I have not tried the first of your two samples. I will try that now...
As for the second
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group greensboro
ip address pppoe setroute
That is no different than what I have currently that works. When we are running that config and do a show IP it does not show our static it shows one of their dynamic IPs and changes each time we restart the router and firewall.
I have not tried the first of your two samples. I will try that now...
As for the second
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group greensboro
ip address pppoe setroute
That is no different than what I have currently that works. When we are running that config and do a show IP it does not show our static it shows one of their dynamic IPs and changes each time we restart the router and firewall.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes we have told them and they told us that since we placed their modem in bridge mode (Past Through) that they do not support thrid party equipment. Although they also admitted that many businesses set their modem to pass through. They did note that they have a department that we can pay to help us setup our firewall.
ASKER
I tried the 1 option and it did not work...
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group greensboro
ip address 10.54.47.10 255.255.255.248 (without pppoe back here)
Sorry
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group greensboro
ip address 10.54.47.10 255.255.255.248 (without pppoe back here)
Sorry
ASKER
Ok so we hooked up a laptop and guess what? The laptop did not work on the static either... Called AT&T and all the sudden they found something wrong and had to recommit the IPs to our account which will be done tomorrow.
Also called Cisco and there is nothing wrong with the config...
Thanks for the help!
Also called Cisco and there is nothing wrong with the config...
Thanks for the help!
you are welcome, i figured something like that, that they missassigned the IP's to the wrong router LOL
same thing with me.... Ive spent about 10 hours on the phone with at&t over a 3 day period. I kept telling them that the static ip range they gave me is inuse by someone else. I actually told them that if I RDP into the static it brings me to a server in a different company, different town. but of course they always say theyre right. Finally after 3 days they called me and told me that the ip's they gave me were already assigned and gave me a new block, then after 24 hours they still werent activated when they said they were. You can never get a technical rep on the phone either, only level one which doesnt help.
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group greensboro
ip address 10.54.47.10 255.255.255.248 (without pppoe back here)
and also, if you use
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group greensboro
ip address pppoe setroute
what does it show under "show ip"