cfan73
asked on
Cisco router and/or ASA connectivity through DSL
A customer currently has two sites with DSL connections to the Internet, and Nortel BSR222 routers sitting behind them, configured with a site-to-site VPN. We need to replace these Nortel systems with a Cisco solution, so I'm thinking ASA firewalls on each end:
Site1 -> ASA -> DSL modem ->> Internet ->> DSL modem -> ASA -> Site2
I'm relatively new to business DSL, and I need to know is this can be made to work, and if not, why. Specifically:
1) The DSL modem will provide an Ethernet hand-off, so the ASA's will not need to have any direct knowledge of DSL operation/negotiation, correct? The ASA sees only Ethernet, and won't require any DSL client commands of any sort?
2) I've heard/read that some DSL modems can operate in either bridged or routed mode - in the scenario above, I would choose to use bridged mode, and have the public IP's for the site-to-site VPN's terminate on the ASA's, correct?
3) I've heard/read that authentication is often used in business DSL environments. How would this be performed in the above scenario? Would the ASA be authenticating the DSL head-end at the carrier? And what form of authentication? (PPP/CHAP? PPPoE, etc.)
Thank you, and references/links are always appreciated.
Site1 -> ASA -> DSL modem ->> Internet ->> DSL modem -> ASA -> Site2
I'm relatively new to business DSL, and I need to know is this can be made to work, and if not, why. Specifically:
1) The DSL modem will provide an Ethernet hand-off, so the ASA's will not need to have any direct knowledge of DSL operation/negotiation, correct? The ASA sees only Ethernet, and won't require any DSL client commands of any sort?
2) I've heard/read that some DSL modems can operate in either bridged or routed mode - in the scenario above, I would choose to use bridged mode, and have the public IP's for the site-to-site VPN's terminate on the ASA's, correct?
3) I've heard/read that authentication is often used in business DSL environments. How would this be performed in the above scenario? Would the ASA be authenticating the DSL head-end at the carrier? And what form of authentication? (PPP/CHAP? PPPoE, etc.)
Thank you, and references/links are always appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
wwakefield
Note when the ASA is doing the dial out, set MTU 1492
ASKER
Thanks for the great responses! A few follow-ups for clarification, if I may:
3) suggests that you can connect an ASA (or router/whatever, for that matter) directly to the DSL modem's Ethernet hand-off, and connect (assuming a static/default route) without any PPPoE configuration at all. Is this really correct?
I assume that 1) is preferred so that you can protect the connection with authentication, yes? In this case, the ASA is authenticating to the head-end across the provider link (as opposed to the DSL modem itself, which is simply a pass-through bridge). Also correct?
Lastly, the company we're trying to help here is replacing these Nortel routers w/ our new Cisco gear. If authentication (PPPoE) has been configured, and the customer (or us) doesn't know the config to build out the ASA properly, I assume a call to the carrier is necessary (and they could provide us with the necessary info if we give them the DSL identification (phone) number?
Thank you!!
3) suggests that you can connect an ASA (or router/whatever, for that matter) directly to the DSL modem's Ethernet hand-off, and connect (assuming a static/default route) without any PPPoE configuration at all. Is this really correct?
I assume that 1) is preferred so that you can protect the connection with authentication, yes? In this case, the ASA is authenticating to the head-end across the provider link (as opposed to the DSL modem itself, which is simply a pass-through bridge). Also correct?
Lastly, the company we're trying to help here is replacing these Nortel routers w/ our new Cisco gear. If authentication (PPPoE) has been configured, and the customer (or us) doesn't know the config to build out the ASA properly, I assume a call to the carrier is necessary (and they could provide us with the necessary info if we give them the DSL identification (phone) number?
Thank you!!
The way the connection is handled depends onthe carrier.
Option 3 is correct in one of my locations and I will validate in a couple hours. It is definately true at the sites where I use cable. At those sites, I just register the MAC of the modem, I will pull up the running configs.
Note if you are unable to see the configs in the NORTLE routers in clear text, you will need to contact the provider. In fact, I reccomend contacting the provider regardless. They will give you the corect answwer pf PPPOE etc. and save you the guess work.
If you are trying to avoid contacting the carrier, you could have that company give you the make model of the modem so you can soo what options it has. It might give you the answers you need.
Option 3 is correct in one of my locations and I will validate in a couple hours. It is definately true at the sites where I use cable. At those sites, I just register the MAC of the modem, I will pull up the running configs.
Note if you are unable to see the configs in the NORTLE routers in clear text, you will need to contact the provider. In fact, I reccomend contacting the provider regardless. They will give you the corect answwer pf PPPOE etc. and save you the guess work.
If you are trying to avoid contacting the carrier, you could have that company give you the make model of the modem so you can soo what options it has. It might give you the answers you need.
-In Japan I have DSL and it uses static route with a bridge modem. I say bridge, as I do not modify the modem, it is issued.
--IP ADDRESS OUTSIDE whatever
--ROUTE Whatever
-In most locations, I use PPPOE:
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group TELEKOM
ip address pppoe setroute
vpdn group TELEKOM request dialout pppoe
vpdn group TELEKOM localname feste-ip7/xxxxxxxxxx@t-onl
vpdn group TELEKOM ppp authentication pap
vpdn username feste-ip7xxxxxxxxxxx@t-onl
MTU 1492
-In the UK, we buy a certain number of statics and 1 must reside on their modem which I configure with the dial out information and one of the statics. It handles the dial-out. The Cisco appliace just points to the modem with another one of the statics as the IP ADDRESS OUTSIDE and then ROUTE (to modem)
In regards to obtaining the information, you are correct. Call the ISP and provide teh DSL line. They will probably also ask for an account number and some other inforamation to validate who you are. I find it best to have the company to give you a DSL invoce so you have the stuff at hand.
--IP ADDRESS OUTSIDE whatever
--ROUTE Whatever
-In most locations, I use PPPOE:
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group TELEKOM
ip address pppoe setroute
vpdn group TELEKOM request dialout pppoe
vpdn group TELEKOM localname feste-ip7/xxxxxxxxxx@t-onl
vpdn group TELEKOM ppp authentication pap
vpdn username feste-ip7xxxxxxxxxxx@t-onl
MTU 1492
-In the UK, we buy a certain number of statics and 1 must reside on their modem which I configure with the dial out information and one of the statics. It handles the dial-out. The Cisco appliace just points to the modem with another one of the statics as the IP ADDRESS OUTSIDE and then ROUTE (to modem)
In regards to obtaining the information, you are correct. Call the ISP and provide teh DSL line. They will probably also ask for an account number and some other inforamation to validate who you are. I find it best to have the company to give you a DSL invoce so you have the stuff at hand.
Once again, when I configure the UK modems (or any others), I turn off their firewall as a good measure.
ASKER
Great, helpful thread - thank you for being so thorough!