Cisco router and/or ASA connectivity through DSL

A customer currently has two sites with DSL connections to the Internet, and Nortel BSR222 routers sitting behind them, configured with a site-to-site VPN.  We need to replace these Nortel systems with a Cisco solution, so I'm thinking ASA firewalls on each end:

Site1  ->  ASA ->  DSL modem ->> Internet ->>  DSL modem ->  ASA -> Site2

I'm relatively new to business DSL, and I need to know is this can be made to work, and if not, why.  Specifically:

1) The DSL modem will provide an Ethernet hand-off, so the ASA's will not need to have any direct knowledge of DSL operation/negotiation, correct?   The ASA sees only Ethernet, and won't require any DSL client commands of any sort?

2) I've heard/read that some DSL modems can operate in either bridged or routed mode - in the scenario above, I would choose to use bridged mode, and have the public IP's for the site-to-site VPN's terminate on the ASA's, correct?

3) I've heard/read that authentication is often used in business DSL environments.  How would this be performed in the above scenario?  Would the ASA be authenticating the DSL head-end at the carrier?   And what form of authentication?  (PPP/CHAP?   PPPoE, etc.)

Thank you, and references/links are always appreciated.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

-I use DSL at 50 sites across 14 countries.   SERVER---ASA---DSL MODEM---WALL

The DSL modem functions 3 ways for me depending on what country:

1.   Modem is bridge and ASA does VPDN dial-out with PPPOE
2.   DSL username and Pass is in Modem with a static IP assigned.  The ASA has another static and ROUTES to the Modem that routes to the world.  This is in the UK.
3.   DSL modem is bridge with static route in ASA.

The easiest and I think most common in the US is option 1 with the VPDN lines with the username and pass in the ASA along with the PPPOE statement.

In the cases where the Modem handles the dial out, make sure you have that devices firewall turned off.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Note when the ASA is doing the dial out, set MTU 1492
cfan73Author Commented:
Thanks for the great responses!   A few follow-ups for clarification, if I may:

3) suggests that you can connect an ASA (or router/whatever, for that matter) directly to the DSL modem's Ethernet hand-off, and connect (assuming a static/default route) without any PPPoE configuration at all.  Is this really correct?

I assume that 1) is preferred so that you can protect the connection with authentication, yes?  In this case, the ASA is authenticating to the head-end across the provider link (as opposed to the DSL modem itself, which is simply a pass-through bridge).  Also correct?

Lastly, the company we're trying to help here is replacing these Nortel routers w/ our new Cisco gear.  If authentication (PPPoE) has been configured, and the customer (or us) doesn't know the config to build out the ASA properly, I assume a call to the carrier is necessary (and they could provide us with the necessary info if we give them the DSL identification (phone) number?

Thank you!!  
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

The way the connection is handled depends onthe carrier.

Option 3 is correct in one of my locations and I will validate in a couple hours.  It is definately true at the sites where I use cable.   At those sites, I just register the MAC of the modem,   I will pull up the running configs.

Note if you are unable to see the configs in the NORTLE routers in clear text, you will need to contact the provider.   In fact, I reccomend contacting the provider regardless.  They will give you the corect answwer pf PPPOE etc. and save you the guess work.

If you are trying to avoid contacting the carrier, you could have that company give you the make model of the modem so you can soo what options it has.   It might give you the answers you need.

-In Japan I have DSL and it uses static route with a bridge modem.  I say bridge, as I do not modify the modem, it is issued.
--ROUTE Whatever

-In most locations, I use PPPOE:

interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group TELEKOM
 ip address pppoe setroute
vpdn group TELEKOM request dialout pppoe
vpdn group TELEKOM localname feste-ip7/
vpdn group TELEKOM ppp authentication pap
vpdn username password *********

MTU 1492

-In the UK, we buy a certain number of statics and 1 must reside on their modem which I configure with the dial out information and one of the statics.   It handles the dial-out.  The Cisco appliace just points to the modem with another one of the statics as the IP ADDRESS OUTSIDE and then ROUTE (to modem)

In regards to obtaining the information, you are correct.   Call the ISP and provide teh DSL line.   They will probably also ask for an account number and some other inforamation to validate who you are.  I find it best to have the company to give you a DSL invoce so you have the stuff at hand.

Once again, when I configure the UK modems (or any others), I turn off their firewall as a good measure.
cfan73Author Commented:
Great, helpful thread - thank you for being so thorough!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.