Cisco ASA 5500 – Configuring PPPoE

KB ID 0000831 


Until very recently I’d never had to configure PPPoE. Most of my clients in that sort of connection speed range have ADSL with a router provided by their ISP. A Router that connects via PPPoA usually.

Here in the UK the main ISP’s (BT and Virgin) are busy rolling out FTTC connections that terminate with a ‘modem’ that presents an RJ45 socket.

FTTC Presentation

So without the need for a router, you can get the ASA to perform the authentication (supply the username and password via PPPoE) and either use a static IP address, or obtain its IP via DHCP.


1. Before you attempt to configure the connection, you will need the following from your ISP;

  • Username
  • Password
  • IP Details (If you have bought static IP’s you will need the range of IP addresses and the IP address to use as the firewalls default route (default gateway). Some ISP’s will expect you to configure DHCP and will make sure you always get the same IP.
  • Authentication method: CHAP, MSCHAP, or PAP (If your ISP acts confused when you ask, it’s probably CHAP).

2. Connect to the ASA > Go to enable mode > Go to configuration mode > Create a ‘vpdn’ group, (here I’ve called it PNL-DIALER-GROUP) > Set the authentication method, (here I’m using CHAP).

User Access Verification

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure terminal
PetesASA(config)# vpdn group PNL-DIALER-GROUP request dialout pppoe
PetesASA(config)# vpdn group PNL-DIALER-GROUP ppp authentication chap

3. Supply your username and password. (The store-local command puts the details in a protected area of flash memory).

PetesASA(config)# vpdn group PNL-DIALER-GROUP localname PetesASA(config)# vpdn username password Password12345 store-local

4. Apply your vpdn group to the interface (or VLAN if your using an ASA5505), then configure the static IP address or DHCP;

Command for an ASA 5505 (By Default VLAN 2 will be the outside VLAN).

PetesASA(config)# Interface vlan2 PetesASA(config-if)#

Command for an ASA 5510 (or greater) (By Default Ethernet0/0 will be the outside interface).

PetesASA(config)# Ethernet0/0 PetesASA(config-if)#

The rest of the configuration is the same for all models

PetesASA(config-if)# pppoe client vpdn group PNL-DIALER-GROUP

If you have been given a static IP address and default route

PetesASA(config-if)# ip address pppoe PetesASA(config-if)# route outside

If you are getting you IP address via DHCP

PetesASA(config-if)# ip address pppoe setroute

5. Save your changes.

PetesASA(config-if)# exit PetesASA(config)# exit PetesASA# write mem Building configuration… Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec) [OK] PetesASA#

Cisco ASA Debugging PPPoE

You can use the following command/syntax to troubleshoot.

PetesASA# show ip address outside pppoe PetesASA# [no] debug pppoe {event | error | packet} PetesASA# show vpdn session [l2tp | pppoe] [id sess_id | packets | state | window] PetesASA# show vpdn

Configure PPPoE via ASDM

1. Connect to the ASDM > Configuration > Device Setup > Interfaces > Ethernet0/0 > Edit > General Tab > Use PPPoE.

2. Enter VPDN Group name username and password.

3. Set the PPP Authentication method PAP / CHAP or MSCHAP.

FTTC Presentation

4. Tick store username and password in flash > IP Address and Route Settings
Apply > OK.

5. File > Save Running Configuration to flash.

Related Articles, References, Credits, or External Links



Author: Migrated

Share This Post On