• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 425
  • Last Modified:

ASA not getting out with PPPOE AT&T internet - 8.3+

I need to know why this config isnt working. I have a bruised forehead from hitting it on a wall : )

: Saved
ASA Version 9.1(3)
hostname Hubbard
domain-name DOMAIN.COM
enable password C8300znpCj0V/.zS encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

ip local pool Hubbard mask
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group ATT
 ip address PUBLICIP
boot system disk0:/asa913-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name DOMAN.COM
object network obj_any-01
object network obj-remote
object network obj-inside
object network obj-
object network obj-
object network obj-
object service WWW
 service tcp source eq www
object network inside-host
object service 48808
 service udp source eq 48808
object service 48806
 service udp source eq 48806
object network inside-host2
object network obj-PUBLICIP2
object network medina
object-group network
object-group network
object-group network
object-group network
access-list inside_nat0_outbound extended permit ip
access-list inside_NAT_outbound extended permit ip any4
access-list 147 extended permit ip
access-list 130 extended permit ip
access-list 148 extended permit ip
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj- obj- destination static obj- obj-
nat (inside,outside) source static inside-host interface service 48806 48806
nat (inside,outside) source static inside-host interface service 48808 48808
nat (inside,outside) source static inside-host interface service WWW WWW
object network medina
 nat (inside,outside) static OUTSIDEIP2
nat (inside,outside) after-auto source dynamic obj- interface
route outside GATEWAY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set MYSET esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map TUNNEL_MAP 45 match address 147
crypto map TUNNEL_MAP 45 set peer HOUSTON
crypto map TUNNEL_MAP 45 set ikev1 transform-set MYSET
crypto map TUNNEL_MAP 46 match address 130
crypto map TUNNEL_MAP 46 set peer DALLAS
crypto map TUNNEL_MAP 46 set ikev1 transform-set MYSET
crypto map TUNNEL_MAP interface outside
crypto ca trustpool policy
crypto isakmp identity address
no crypto isakmp nat-traversal
telnet timeout 5
ssh inside
ssh outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname AT&TEMAILADDRESS
vpdn group ATT ppp authentication pap
vpdn username AT&TEMAILADDRESS password *****

dhcpd address inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admini password jBFrHOlRmYIzGm8t encrypted
tunnel-group DALLAS type ipsec-l2l
tunnel-group DALLAS ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group HOUSTON type ipsec-l2l
tunnel-group HOUSTON ipsec-attributes
 ikev1 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
  • 4
  • 2
1 Solution
j_crow1Author Commented:
I changed the MTU on the outside interface to 1492, but still no luck.
No data is getting out?
Does ping work at all?
Have you tried an extended ping with smaller packets?
j_crow1Author Commented:
Ping doesn't work at all - noob question, but what is extended ping?
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Its just ping specifying parameters. Nothing special but you can alter packet size etc.
Henk van AchterbergSr. Technical ConsultantCommented:
remove public IP from vlan 2 as you will receive the public IP from the PPP server!
j_crow1Author Commented:
I got a local vendor to handle it. Thanks anyway.
j_crow1Author Commented:
Local vendor handling issue.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now