ditobot
asked on
Problem with static IP block assignment using PPPOE on Cisco ASA5505
I am unable to configure static IPs using the PPPOE configuration in my Cisco ASA5505
I used the following link to setup the PPPOE on my interface VLAN2:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/pppoe.html#wpxref85837
my block is configured of 8 IP's:
gateway: 63.x.x.222
subnet: 255.255.255.248
Everytime I try I enter the following line under the interface vlan2 (ip address 63.x.x.221 255.255.255.248 pppoe) it defaults to ip address 63.x.x.221 255.255.255.255 pppoe. I have entered the info using telnet and the ADSM and it always defaults back to 255.255.255.255.
Here are the important lines in my config:
route outside 0.0.0.0 0.0.0.0 63.x.x.222 1
I have tried the following:
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_qwest
ip address pppoe
and
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_qwest
ip address 63.x.x.221 255.255.255.248 pppoe
Strangely enough, when I use the 'show ip address outside pppoe' command on the first config with the setroute command it comes up with the gateway address 63.x.x.222 255.255.255.255 pppoe
Any ideas why I can't put in the proper gateway subnet to allow access to my assigned static IP addresses?
I used the following link to setup the PPPOE on my interface VLAN2:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/pppoe.html#wpxref85837
my block is configured of 8 IP's:
gateway: 63.x.x.222
subnet: 255.255.255.248
Everytime I try I enter the following line under the interface vlan2 (ip address 63.x.x.221 255.255.255.248 pppoe) it defaults to ip address 63.x.x.221 255.255.255.255 pppoe. I have entered the info using telnet and the ADSM and it always defaults back to 255.255.255.255.
Here are the important lines in my config:
route outside 0.0.0.0 0.0.0.0 63.x.x.222 1
I have tried the following:
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_qwest
ip address pppoe
and
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group pppoe_qwest
ip address 63.x.x.221 255.255.255.248 pppoe
Strangely enough, when I use the 'show ip address outside pppoe' command on the first config with the setroute command it comes up with the gateway address 63.x.x.222 255.255.255.255 pppoe
Any ideas why I can't put in the proper gateway subnet to allow access to my assigned static IP addresses?
gavving
This is due to the way PPPOE works. If you enable PPPOE then you'll get the settings that the remote side assigns. I would bet that you can go ahead and allocate the static IP numbers that you think you should be able to use and they might work. You might have to contact Qwest about it as well, as they have to have their equipment set to allocate the correct IP block size to your equipment.
ASKER
I checked with my provider and big surprise they say that everything is fine on their end. It may be but they are very elusive due to the fact that I am not using their cheap built in router that comes bundled with the DSL modem.
I remember reading that you are unable to use a static address only if you use the command line:
ip address pppoe setroute
I used that inititally to setup the interface but have since changed it to:
ip address pppoe
and
ip address 63.xxx.xxx.221 255.255.255.248 pppoe
The second line should work according to the Cisco documentation, and I guess it half does. I can change the IP address to whatever static I wish but the subnet defaults to 255.255.255.255 everytime no matter which IP address I use.
I was able to put in the proper subnet on the Actiontec Q1000 when I took it out of bridged mode to test it last night. But as soon as I bridge the Actiontec and use my Cisco for pppoe authentication I run into the same problem.
I remember reading that you are unable to use a static address only if you use the command line:
ip address pppoe setroute
I used that inititally to setup the interface but have since changed it to:
ip address pppoe
and
ip address 63.xxx.xxx.221 255.255.255.248 pppoe
The second line should work according to the Cisco documentation, and I guess it half does. I can change the IP address to whatever static I wish but the subnet defaults to 255.255.255.255 everytime no matter which IP address I use.
I was able to put in the proper subnet on the Actiontec Q1000 when I took it out of bridged mode to test it last night. But as soon as I bridge the Actiontec and use my Cisco for pppoe authentication I run into the same problem.
ASKER
Oh, and the rest of my block of statics are definitely not making it past my Cisco ASA5505.
Maybe it's possible to pass the static IPs through the Actiontec and let it do the PPPOE authentication?
http://www.qwest.net/help/set_cisco_675.html That URL has a section which talks about configuring static IP block on Actiontec 1520, I don't know if that's going to be the same as your Q1000 or not though. From the walkthrough it looks like it has instructions to disable NAT and disable DHCP, that might allow you to use the IP block through the actiontec while it terminates the PPPOE session. I'm not positive though, sorry.
http://www.qwest.net/help/set_cisco_675.html That URL has a section which talks about configuring static IP block on Actiontec 1520, I don't know if that's going to be the same as your Q1000 or not though. From the walkthrough it looks like it has instructions to disable NAT and disable DHCP, that might allow you to use the IP block through the actiontec while it terminates the PPPOE session. I'm not positive though, sorry.
ASKER
Qwest offered a few suggestions, all of which I don't seem to have any control over in the ASA5505.
They seemed to be perplexed at why my router connected but the subnet reset to 255.255.255.255 upon authentication. I removed the ASA5505 from the DSL modem and put in the pppoe ip address and it took and held until I plugged it into the DSL modem, at which time it reverted immediately back to 255.255.255.255.
I have a vdsl2 service through them and the ATM encapsulation should be LLC (they refer to it as the vcmux)
The vpi/vci should be 0/35
It should be in mmode (multimode)
and they mentioned (most importantly) that the interface should be unnumbered
I know these settings are configurable in a lot of devices but as near as I can tell ther are no commands to set configure any of these settings. Worse yet I'm not entirely sure what the defaults are on the ASA5505. Most of these settings would prevent my Cisco device from even authenticating however, so it is difficult to tell what if any of these might be a problem.
They said that they have never seen this behavior before, between all of the techs on duty at the time. That is always welcome news but leaves me even more confused. For the record their support was awesome as they went through a lot of troubleshooting even though they didn't have to. I can use the Q1000 for the pppoe authentication but it will eat up a static in my block of IPs and I will go that route as a last ditch effort but I would really love to get to the bottom of this if at all possible.
Any suggestions are greatly appreciated based on the new information.
They seemed to be perplexed at why my router connected but the subnet reset to 255.255.255.255 upon authentication. I removed the ASA5505 from the DSL modem and put in the pppoe ip address and it took and held until I plugged it into the DSL modem, at which time it reverted immediately back to 255.255.255.255.
I have a vdsl2 service through them and the ATM encapsulation should be LLC (they refer to it as the vcmux)
The vpi/vci should be 0/35
It should be in mmode (multimode)
and they mentioned (most importantly) that the interface should be unnumbered
I know these settings are configurable in a lot of devices but as near as I can tell ther are no commands to set configure any of these settings. Worse yet I'm not entirely sure what the defaults are on the ASA5505. Most of these settings would prevent my Cisco device from even authenticating however, so it is difficult to tell what if any of these might be a problem.
They said that they have never seen this behavior before, between all of the techs on duty at the time. That is always welcome news but leaves me even more confused. For the record their support was awesome as they went through a lot of troubleshooting even though they didn't have to. I can use the Q1000 for the pppoe authentication but it will eat up a static in my block of IPs and I will go that route as a last ditch effort but I would really love to get to the bottom of this if at all possible.
Any suggestions are greatly appreciated based on the new information.
Those ATM settings they gave you have to be configured on the DSL modem that you have, it will the be the one doing the termination of that connection and should be bridging the rest of the traffic through to your firewall.
I did find this webpage which gives some hits of an alternate configuration:
http://www.bitplumber.net/2009/04/qwest-dsl-installation-with-actiontec-m1000/
"If you get a block of static IP’s, the modem still does PPPoA/PPPoE to the Qwest network, though it runs the PPP session in “un-numbered” mode and binds a real Internet IP to the LAN side of the modem. The modem must be set into routing mode in this case."
That would indicate that it's possible to terminate the PPPOE with the modem, and have it use the Internet IPs to the LAN side. Then you can easily configure your ASA to use those Internet IPs in a direct static configuration (without using DHCP).
Hopefully that might help some. Wish I could be more specific, but I've never seen the modem before or it's admin interface...
I did find this webpage which gives some hits of an alternate configuration:
http://www.bitplumber.net/2009/04/qwest-dsl-installation-with-actiontec-m1000/
"If you get a block of static IP’s, the modem still does PPPoA/PPPoE to the Qwest network, though it runs the PPP session in “un-numbered” mode and binds a real Internet IP to the LAN side of the modem. The modem must be set into routing mode in this case."
That would indicate that it's possible to terminate the PPPOE with the modem, and have it use the Internet IPs to the LAN side. Then you can easily configure your ASA to use those Internet IPs in a direct static configuration (without using DHCP).
Hopefully that might help some. Wish I could be more specific, but I've never seen the modem before or it's admin interface...
ASKER
I am getting a SmartNet contract for my ASA5505 so I can get this sorted out. I just want to be sure that I am not missing something. I just can't get past the fact that I can authenticate and that I can input whatever static IP I wish for my interface but that the subnet defaults to a single static IP upon authentication.
I have been through all of the settings on the Q1000 and found that it is using PTM instead of ATM (I can't seem to change that, it defaults to PTM), it is in multimode and when I am using the modem to configure the statics it explicitly states taht it is in unumbered mode but I am assuming that in bridged mode it just passes the request straight to my ASA5505.
I turned on logging in debugging mode and tried to set the static with the 248 subnet to see if I could figure out where or why it was being trumped by the 255 subnet but there just isn't envough infomation in the log even when I enabled pppoe logging in the CLI. I can see the pppoe request but there are no details in the log about the handshake and the IP assignment.
I have been through all of the settings on the Q1000 and found that it is using PTM instead of ATM (I can't seem to change that, it defaults to PTM), it is in multimode and when I am using the modem to configure the statics it explicitly states taht it is in unumbered mode but I am assuming that in bridged mode it just passes the request straight to my ASA5505.
I turned on logging in debugging mode and tried to set the static with the 248 subnet to see if I could figure out where or why it was being trumped by the 255 subnet but there just isn't envough infomation in the log even when I enabled pppoe logging in the CLI. I can see the pppoe request but there are no details in the log about the handshake and the IP assignment.
What should be happening when you have it configured like what is indicate in the link I sent should be:
Q1000 terminates the ATM connection and does PPPOA/PPPOE authentication
It's configured for unnumbered and thus the WAN interface does not have an assigned IP
the LAN interface on the modem gets assigned the static IP block with the correct subnet mask
Then you can configure your firewall with a static external interface and a gateway that points directly to the modem static IP on it's LAN interface.
At least thats how I think it should work. The modem may or may not support that configuration.
Q1000 terminates the ATM connection and does PPPOA/PPPOE authentication
It's configured for unnumbered and thus the WAN interface does not have an assigned IP
the LAN interface on the modem gets assigned the static IP block with the correct subnet mask
Then you can configure your firewall with a static external interface and a gateway that points directly to the modem static IP on it's LAN interface.
At least thats how I think it should work. The modem may or may not support that configuration.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.