dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically with username and password. This means that the ISPs treat their subscriber's router as PPP client.

When this is your case, then the following sample configuration is a good starting point to help you configure the firewall. Typical network environment that might utilize following sample PIX/ASA configuration is as follows

* There is a modem in front of the PIX/ASA, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX/ASA via PPPoE
* There is NAT/PAT in place on the PIX/ASA to translate internal IP addresses to the ISP-provided Public IP address
* The PIX/ASA is also acting as DHCP server to local LAN, which provide dynamic IP info for hosts behind the PIX/ASA within the LAN

This sample PIX/ASA configuration assumes the followings

* Internal private IP subnet (for hosts behind the PIX/ASA): 10.0.0.0/24
* All of the hosts' gateway would be the PIX/ASA inside interface IP address: 10.0.0.1
* The IP address range of 10.0.0.30-10.0.0.254 would be available for DHCP pool client
* The IP address range of 10.0.0.2-10.0.0.29 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 68.87.64.196 and 68.87.66.196 automatically as part of the dynamically assigned IP address process
* When all hosts behind the PIX/ASA go out to the Internet, the hosts would be using the PIX/ASA outside interface IP address (which is the ISP-assigned Public IP address)
* Necessary ICMP packet coming from the Internet would be permitted to enter your LAN

SAMPLE CONFIGURATION

1. PIX

OS Version 6.3

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [ENTER ISP USERNAME HERE]
vpdn group pppoex ppp authentication chap (or PAP, depends on your ISP settings)
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 

2. PIX/ASA

OS version 7.x to 8.2

hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1492
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [ENTER ISP USERNAME HERE]
vpdn group pppoex ppp authentication chap (or PAP, depends on your ISP settings)
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
 

OS Version 8.3 or later

hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
!
object-group service ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp 0
icmp 3
icmp 11
!
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
!
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1492
mtu inside 1500
no asdm history enable
!
object network OBJ_GENERIC_ALL 
 subnet 0.0.0.0 0.0.0.0
 
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
!
access-group INBOUND in interface outside
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [ENTER ISP USERNAME HERE]
vpdn group pppoex ppp authentication chap (or PAP, depends on your ISP settings)
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
 

MTU Setting Notes:
* Typical Ethernet connection uses 1500 bytes MTU
* PPPoE uses a 8 bytes overhead MTU, therefore there is only a 1492 bytes MTU left for data
* PPPoE process takes place on the outside interface where the PIX/ASA is connecting to the ISP
* There is just regular Ethernet connection on the inside interface where the PIX/ASA is connecting to the inside LAN
* The 1492 bytes MTU should only take place on the outside interface and keep 1500 bytes MTU on the inside interface

Field Notices:
* PIX 501 firewall running version 6.3 refuses to accept the "ip address ... pppoe" command if the outside interface has been named anything other than "outside" (i.e. named as "ext"). In order to execute this command, you need to rename the interface name to "outside" (with the "nameif" command), and then issue the "ip address outside pppoe" command

Expand got feedback?

by aryoba See Profile
last modified: 2014-02-24 14:23:00