PPPoE Dial-In with ASA5505

If you like to connect your external interface to the internet by using PPPoE, you have to configure a VPDN group first. In this simple example, our group is called PPPOE and we use PAP method for authentication. Unlike IOS, ASA OS accepts only one autentication protocol. Hence you have to know, if your provider uses PAP or CHAP for authentication.

vpdn group PPPOE request dialout pppoe
vpdn group PPPOE localname <username>
vpdn group PPPOE ppp authentication pap
vpdn username <username> password <password>

After that, you can apply it to the desired interface. In my case Vlan2 (bound to Eth0/0).

interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group PPPOE
 ip address pppoe setroute

By the use of ip address pppoe setroute, a default route is inserted after successfull PPPoE dial-in.
With some basic commands, you can verify if an ip address has been assigned from your provider and if the connection to the internet is established.

ciscoasa# show interface outside ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Vlan2                      <assigned ip>   YES manual up                    up
ciscoasa#
ciscoasa# sh route outside
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is <IP of provider router> to network 0.0.0.0

S*   0.0.0.0 0.0.0.0 [1/0] via <IP of provider router>, outside
ciscoasa#
ciscoasa# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/10 ms
ciscoasa#

When there are problems with dialin, you can use the following debug commands.

  • debug ppp neg
  • debug ppp auth
  • debug pppoe packet

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>