KB ID 0000831
Problem
Until very recently I’d never had to configure PPPoE. Most of my clients in that sort of connection speed range have ADSL with a router provided by their ISP. A Router that connects via PPPoA usually.
Here in the UK the main ISP’s (BT and Virgin) are busy rolling out FTTC connections that terminate with a ‘modem’ that presents an RJ45 socket.
So without the need for a router, you can get the ASA to perform the authentication (supply the username and password via PPPoE) and either use a static IP address, or obtain its IP via DHCP.
Solution
1. Before you attempt to configure the connection, you will need the following from your ISP;
- Username
- Password
- IP Details (If you have bought static IP’s you will need the range of IP addresses and the IP address to use as the firewalls default route (default gateway). Some ISP’s will expect you to configure DHCP and will make sure you always get the same IP.
- Authentication method: CHAP, MSCHAP, or PAP (If your ISP acts confused when you ask, it’s probably CHAP).
2. Connect to the ASA > Go to enable mode > Go to configuration mode > Create a ‘vpdn’ group, (here I’ve called it PNL-DIALER-GROUP) > Set the authentication method, (here I’m using CHAP).
[box]
User Access Verification Password: Type help or '?' for a list of available commands. PetesASA> enable Password: ******** PetesASA# configure terminal PetesASA(config)# vpdn group PNL-DIALER-GROUP request dialout pppoe PetesASA(config)# vpdn group PNL-DIALER-GROUP ppp authentication chap
[/box]
3. Supply your username and password. (The store-local command puts the details in a protected area of flash memory).
[box]
PetesASA(config)# vpdn group PNL-DIALER-GROUP localname username1234-fttc@ispname.net
PetesASA(config)# vpdn username username1234-fttc@ispname.net password Password12345 store-local
[/box]
4. Apply your vpdn group to the interface (or VLAN if your using an ASA5505), then configure the static IP address or DHCP;
[box]
Command for an ASA 5505 (By Default VLAN 2 will be the outside VLAN).
PetesASA(config)# Interface vlan2
PetesASA(config-if)#
Command for an ASA 5510 (or greater) (By Default Ethernet0/0 will be the outside interface).
PetesASA(config)# Ethernet0/0
PetesASA(config-if)#
The rest of the configuration is the same for all models
PetesASA(config-if)# pppoe client vpdn group PNL-DIALER-GROUP
If you have been given a static IP address and default route
PetesASA(config-if)# ip address 123.123.123.123 255.255.255.248 pppoe
PetesASA(config-if)# route outside 0.0.0.0 0.0.0.0 123.123.123.124
If you are getting you IP address via DHCP
PetesASA(config-if)# ip address pppoe setroute
[/box]
5. Save your changes.
[box]
PetesASA(config-if)# exit
PetesASA(config)# exit
PetesASA# write mem
Building configuration…
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Cisco ASA Debugging PPPoE
You can use the following command/syntax to troubleshoot.
[box]
PetesASA# show ip address outside pppoe
PetesASA# [no] debug pppoe {event | error | packet}
PetesASA# show vpdn session [l2tp | pppoe] [id sess_id | packets | state | window]
PetesASA# show vpdn
[/box]
Configure PPPoE via ASDM
1. Connect to the ASDM > Configuration > Device Setup > Interfaces > Ethernet0/0 > Edit > General Tab > Use PPPoE.
2. Enter VPDN Group name username and password.
3. Set the PPP Authentication method PAP / CHAP or MSCHAP.
4. Tick store username and password in flash > IP Address and Route Settings
Apply > OK.
5. File > Save Running Configuration to flash.
Related Articles, References, Credits, or External Links
NA