dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads




50.1 PPPoE/PPPoA/DHCP

This is a sample configuration for interconnecting a Cisco router with an ADSL2+ capable HWIC or builtin ADSL2+ capable port to either Be Broadband or O2 where the package purchased from O2 is ADSL2+.

The IP address should be provided by the service provider in the format 188.0.0.0.1 / 255.255.248.0 or similar or even a range of IP addresses such as 188.0.0.1 - 188.0.0.7 / 255.255.248.0

In addition, the service provider will provide the IP address of the default gateway or router and the DNS IP addresses.

They will just be in the format of an IP address such as 188.0.7.254 for the default gateway and 188.0.0.7.1 and 188.0.7.2 for the DNS servers.

The following config is required in all situations


The basic configuration for the ATM interface is as follows:

interface ATM0
!
! MAC address required. Please use a MAC that is different to the one below.
! You can even use the MAC of the router's interface but changing the middle
! hexadecimal sequence to a random sequence, such as 001d.7186.b56e on the LAN
! interface of the router can be changed to 001d.7197.b56e:

mac-address 0014.0000.000
no ip address
ip virtual-reassembly
no atm ilmi-keepalive
dsl operating-mode auto
!
!
! Create a new point to point sub-interface and assign it the IP address or one
! of the IP addresses provided by O2 or BB:

interface ATM0.1 point-to-point
ip address 188.0.0.1 255.255.248.0
!
! Add the command IP NAT OUTSIDE to enable your LAN IP to be NATted to the IP
! assigned.

ip nat outside
ip virtual-reassembly
!
! Add the following commands:

atm route-bridged ip
pvc 0/101
encapsulation aal5snap
!

Then add the static route to allow traffic to be routed out to the internet:

ip route 0.0.0.0 0.0.0.0 188.0.7.254

Then configure the NAT statement to specify what hosts will get NATted and to what:

!
ip nat inside source list 102 interface ATM0.1 overload
!
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!

If the hosts on the LAN are not statically assigned IP addresses, then a DHCP server will need to be setup for that purpose on the router as follows:

!
! Exclude the IP address of the router's VLAN/BVI interface as well as any other statically configured
! hosts

ip dhcp excluded-address 10.10.10.254
!
! Name of DHCP pool

ip dhcp pool lan-pool
import all
!
! Network range to assign IP addresses in

network 10.10.10.0 255.255.255.0
!
! DNS servers' IP addresses provided by BB or O2

dns-server 188.0.0.7.1 188.0.0.7.2
default-router 10.10.10.254
lease 0 12
!

Choose either option 1 or 2 depending on your situation, not both.


(1.) If using a bridged interface, then the following is relevant:

!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
! Creation of a Bridge Virtual Interface with the internal LAN IP address
interface BVI1

ip address 10.10.10.254 255.255.255.0
!
! Add the command IP NAT INSIDE to allow the internal hosts to get NATted

ip nat inside
ip virtual-reassembly
!

(2.) OR if not using the bridged interface, then add the internal LAN IP address if not already present to VLAN 1:

!
interface Vlan1
ip address 10.10.10.254 255.255.255.0
!
! Add the command IP NAT INSIDE to allow the internal hosts to get NATted

ip nat inside
!



Credit to bigsy See Profile and the anon user Nubbins for posting his config.

by Covenant See Profile
last modified: 2010-08-19 07:04:02

ISP used on the thread are SBC with PPPoE, Verizon (US) with PPPoE; Zen (UK) with PPPoA

»PPPoE configs required

Notes:
* Qwest uses PPPoA in certain area and uses PPPoE in others for xDSL services. When you are having Qwest as your DSL Internet provider, confirm with Qwest which PPP technology is used within your area.
* Verizon uses DHCP/Static in certain area and uses PPPoE in others for xDSL servers. When you are having Verizon as your DSL Internet provider, confirm with Verizon which technology is used within your area.

Non-PPPoE Static IP Verizon ADSL Sample Configuration (contributed by mannygib See Profile )

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco857DSL
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
 
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.35 point-to-point
ip virtual-reassembly
no snmp trap link-status
pvc 0/35
encapsulation aal5snap
!
bridge-group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.118.1 255.255.255.0 (LAN IP and Subnet Mask)
ip nat inside
!
!
interface BVI1
mac-address 0000.0cb9.b080 (something that Verizon recognizes)
ip address xx.xx.xx.xx yy.yy.yy.yy (IP and Subnet Mask Verizon gives to you)
ip nat outside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX (Verizon Default gateway)
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface BVI1 overload
!
access-list 1 permit 192.168.118.0 0.0.0.255
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
 

More Sample Configurations

The following link provides sample configurations for Cisco routers concerning PPPoE, PPPoA, and DHCP environment. Your network setup could be similar, different, or mixed. You may not even use the same router model as the sample configurations used. However the sample configurations can be considered generic. Go explore the link and see if you can answer your own question. Of course you can always post questions to the forum for further assistance. Have fun :)

Cisco website
Router Configuration Examples and TechNotes
Cisco 827 Router Configuration Frequently Asked Questions

Various PPPoE/PPPoA/DHCP/Static Sample Configuration with Cisco

by aryoba See Profile
last modified: 2009-08-28 09:48:04

Suggested pre-reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from ISP automatically. This means that the ISPs treat their subscriber's router as DHCP client.

When this is your case, then the following sample configuration is a good starting point to help you configure the router. Though the example uses 2514 router, the configuration applies to any router that uses or has two Ethernet interfaces for connection (one for WAN or facing the ISP, and another for LAN or facing your computers).

Typical network environment that might utilize following sample router configuration is as follows
* There is a modem in front of the router, which the modem connects to the ISP
* ISP is providing Public IP address to the router via DHCP
* The WAN interface (in this sample configuration, the Ethernet0) receives the ISP-provided Public IP address via DHCP process between the router and the ISP network.
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address
* All internal IP addresses are NAT/PAT-ed to the ISP-provided Public IP address (or to the Ethernet0 interface IP address which such interface points toward ISP)
* The router is also acting as DHCP server, which provide dynamic IP info for hosts behind the router

Note:

Keep in mind that there are two DHCP processes on this sample configuration. One is between your ISP and the router, and another is between the router and machines within your LAN. Your ISP would hand out specific IP address (i.e. 1.1.1.1) where your router would hand out completely different IP address for internal usage.

As mentioned, this sample configuration uses Ethernet0 interface as the WAN interface that receives the ISP-provided Public IP address via DHCP process between the router and the ISP network. You can however use any available and possible interface on your router, either Ethernet1, FastEthernet0/0, or GigabitEthernet1/0. When you do not use the exact same interface as sample configuration showed, make sure that you make necessary adjustment to fit your configuration.

This sample router configuration assumes the followings

* Internal private IP subnet (for hosts behind the router): 192.168.1.0/24
* All of the hosts' gateway would be the router inside interface IP address: 192.168.1.1
* The IP address range of 192.168.1.31-192.168.1.254 would be available for DHCP pool client
* The IP address range of 192.168.1.2-192.168.1.30 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 4.2.2.5, 4.2.2.6, and 4.2.2.66 automatically as part of the dynamically assigned IP address process
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)

Note:

* The DNS server IP addresses used here are 4.2.2.5, 4.2.2.6, and 4.2.2.66 are "fake" samples of your ISP DNS server IP addresses which may not reflect your actual ISP DNS server IP addresses. To match your ISP DNS server IP addresses, simply replace those IP addresses with your ISP DNS server IP addresses.
* When you don't know your ISP DNS server IP addresses, simply issue show dhcp server command on your router to find out. You then implement those ISP DNS server IP addresses in your router DHCP configuration (read: replace 4.2.2.5, 4.2.2.6, and 4.2.2.66 with the ones that the show dhcp server command shows).

Sample Configuration

service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
!
ip subnet-zero
no ip finger
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool insideDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 4.2.2.5 4.2.2.6 4.2.2.66
!
!
!
!
!
interface Ethernet0
description Facing the ISP (the WAN)
ip address dhcp
ip nat outside
!
interface Ethernet1
description Facing my LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0
no ip address
shutdown
!
interface Serial1
no ip address
shutdown
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
line con 0
exec-timeout 0 0
password 7 104308100F1E1C0C
logging synchronous
login
transport input none
line aux 0
password 7 082C4D4703100B10
login
line vty 0 4
password 7 050607062B45400E
login
!
end
 

Some discussions

»[HELP] Setting up Cisco 2621 for home use. Can't get to outside world..
»851w and DHCP
»[Config] Need help configuring 1841 for lan broadband please ?
»[HELP] Cannot get Cisco 2621 to work, please help??
»[HELP] Cisco 3660 Comcast Config help
»[Config] Can anyone please help with my configuration?
»Router Setup, Please HELP
»[Config] my verizon DSL and cisco 2514 configuration
»[HELP] 2650XM Config for RR

Note:

* Watch the exclusion of the gateway of the last resort or default gateway command (ip route 0.0.0.0 0.0.0.0). This command is not needed for dynamic public IP address assignment via DHCP since that's the whole point of using DHCP. In other words, the default gateway should appear in routing table due to DHCP process with the ISP and not by manual configuration.

* The only time you need to manually configure the default gateway using DHCP is when you need to change the route administrative distance into something that fits your need. Should this be your choice, the command is the following.
ip route 0.0.0.0 0.0.0.0 dhcp [ENTER NEW ADMINISTRATIVE DISTANCE HERE]

* Some ISP lock down IP address assigning mechanism off their IP address pool with certain MAC address. When this is the case, you may want to inform your ISP to replace the MAC address with the correct one (which is your router WAN interface MAC address) or "clone" MAC address from the working one into the router. Check out the following thread for illustration
»[help] 851W and ISP DHCP

* This DHCP sample configuration requires at least two Ethernet-type ports that one connects to the ISP modem and another connects to your internal LAN. DHCP process requires a port with dedicated MAC address. Since there is only one MAC address per Ethernet port, you cannot use the same router Ethernet port for both modem and internal LAN connectivity. When you plan to use a router with only one Ethernet port (i.e. 1720, 2610, 2620, 2650) you need additional integrated Ethernet port such as WIC-4ESW or NM-16ESW module in order to utilize DHCP over Ethernet; or use a router with at least two Ethernet ports.

* To illustrate some DHCP debugging processes and techniques which may help you in case of needing to troubleshoot some DHCP issue, check out the following thread.
»[HELP] 881 does not "recover" after cable modem reboot

Feedback received on this FAQ entry:
  • wow ! I simply forgot to configure my nat inside / outside statements on both interfaces. I spent many hours this weekend trying to figure out why traffic on my local interface would not route to public Internet with RIP enabled. Thanks.

    2013-07-07 22:12:36

  • one word, this is beautiful. Just started getting interested about networking. Have a lab set up at home and got my wireless internet connected to my lab router. Your Configuration has helped me a great deal for internet set up.

    2012-09-30 17:08:09

  • This is an OUTSTANDING tutorial! I've been searching the web for this information for days, even weeks altogether, and finally here it is. THANK YOU VERY MUCH! The DHCP to the WAN and separate DHCP to the LAN is actually very common and you'd think cisco or numerous other web sites would address the subject, but not on any of the dozens and dozens of web pages I searched did I ever see this or a similar explanation. THANKS again, you are a great technical writer and a great contributor of knowledge to the world.

    2012-02-14 13:25:34

  • Thumd up for u!

    2010-10-19 07:44:28

  • Thank you so much for this information. I had configured my 2621 as a DHCP client and PAT using the currently ISP assigned IP address but knew this was trouble but I had to get that working first then figure out how to make it use whatever address is currently assigned. Obviously, it is right there in the command help but I am somewhat of a noob to Cisco Routers. This replaced my D-Link DI-524 RevA. Yea! Randy

    2010-05-22 23:57:47



by aryoba See Profile
last modified: 2014-04-08 10:15:49

Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically. This means that the ISPs treat their subscriber's router as DHCP client.

When this is your case, then the following sample configuration is a good starting point to help you configure the router. Typical network environment that might utilize following sample router configuration is as follows

* There is no (external) modem in front of the router that connects to the ISP
* The modem to the ISP would be internal within the router itself
* DSL line would go directly to the router internal modem
* ISP is providing Public IP address to the router via DHCP
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address
* The router could also be acting as DHCP server, which provide dynamic IP info for hosts behind the router

Note:

Keep in mind that when the router acts as DHCP server, there are two DHCP process on this sample configuration. One is between your ISP and the router, and another is between the router and machines within your LAN. Your ISP would hand out specific IP address (i.e. 1.1.1.1) where your router would hand out completely different IP address for internal usage.

Preliminary

DHCP client configuration for generic (dual-Ethernet) router or for ADSL router is basically the same. Specifically for ADSL router, you need to configure the DSL (ATM) interface, the BVI interface, and the IRB feature.

To go a bit technical, the ATM interface should be configured as point to point with the matching ISP VPI/VCI value. The reason behind it is that there is possibility of having multiple VPI/VCI values within the same ATM interface. By setting a sub-interface as point-to-point connection with specific VPI/VCI value, the ADSL modem will know how it correctly forwards traffic to proper path.

The next step is to tie point-to-point ATM interface to a specific BVI interface by setting them in the same broadcast domain. In this sample configuration, both the ATM interface and the BVI interface are in the same broadcast domain #1 (bridge group 1).

The reason behind such setup is following. There are two interfaces that deal with the DSL connection. One interface is the physical ATM interface where you physically connect phone cable into it. The other interface is the logical Layer-2/3 BVI interface that will do IP routing and switching. In other words, the BVI is handling the ISP and Internet IP routing connection.

Where logically the BVI is the WAN side, the LAN side is still the same which is the Ethernet interface. When your LAN needs to go out to the Internet, the router will send all necessary packets from the Ethernet interface to the BVI interface. Since BVI interface is only a logical interface and not a physical interface, the BVI will then look for its physical interface in order to forward the packets that need to go out to the Internet. The physical interface in question is the ATM interface.

To make sure the BVI interface know that its associating physical interface is the ATM interface, you need to put them in the same broadcast domain. This is where the "bridge group 1" command come in handy.

Since your router would have two interfaces (the ATM and BVI) in the same broadcast domain and would need to do proper IP routing between your ISP and your LAN, then you also need to configure the IRB feature. IRB is short for Integrated Routing Bridging. With IRB, your router is capable to act as a bridge (for the ATM and BVI interfaces) and as a router (for routing business between your ISP and your LAN).

This sample router configuration assumes the followings

* Internal private IP subnet (for hosts behind the router): 10.10.10.0/24
* All of the hosts' gateway would be the router inside interface IP address: 10.10.10.1
* The IP address range of 10.10.10.2 to 10.10.10.254 would be available for your LAN devices/hosts
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)

SAMPLE CONFIGURATION

Following is a sample configuration to set an ADSL router as the ISP's DHCP client. Please note that the pvc (vpi/vci) value used here in this sample configuration MUST BE MODIFIED to match your ISP vpi/vci's. Since only your ISP that know for sure of what their own vpi/vci value, please ask your ISP to find out the value.

!
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
!
ip subnet-zero
!
bridge irb
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface ATM0
no ip address
no ip directed-broadcast
no atm ilmi-keepalive
bundle-enable
hold-queue 208 in
!
interface ATM0.35 point-to-point
no ip directed-broadcast
pvc 0/35
encapsulation aal5snap
!
bridge-group 1
!
!
interface BVI1
ip address dhcp
no ip directed-broadcast
ip nat outside
!
ip nat inside source list 1 interface BVI1 overload
ip classless
no ip http server
!
access-list 1 permit 10.10.10.0 0.0.0.255
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
password ****
login
!
scheduler max-task-time 5000
end

Note:

* Watch the exclusion of the gateway of the last resort command (ip route 0.0.0.0 0.0.0.0). This command is not needed for dynamic public IP address assignment via DHCP since that's the whole point of using DHCP. In other words, the default gateway should appear in routing table due to DHCP process with the ISP and not by manual configuration.

* The only time you need to manually configure the default gateway using DHCP is when you need to change the route administrative distance into something that fits your need. Should this be your choice, the command is the following.
ip route 0.0.0.0 0.0.0.0 dhcp [ENTER NEW ADMINISTRATIVE DISTANCE HERE]

* Some ISP lock down handed-down IP address with certain MAC address. When this is the case, you may want to inform your ISP to replace the MAC address with the correct one (which is your router WAN interface MAC address) or "clone" MAC address from the working one into the router. Check out the following thread for illustration

»[help] 851W and ISP DHCP

* To illustrate some DHCP debugging processes and techniques which may help you in case of needing to troubleshoot some DHCP issue, check out the following thread.

»[HELP] 881 does not "recover" after cable modem reboot

Setup the router as DHCP server (handing out IP address to LAN hosts automatically)

Keep in mind that the above sample configuration assumes all of your LAN machines (i.e. computers, print servers) to have their associating IP address statically configured. When your computers are configured to receive IP address automatically (read: as DHCP clients), then you need to configure the router as the DHCP server to your LAN machines. The following is the needed configuration.

ip dhcp excluded-address 10.10.10.1 10.10.10.31
!
ip dhcp pool CLIENT
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 4.2.2.5 4.2.2.6 4.2.2.66
import all

With the above setup,

* The IP address range of 10.10.1.32-10.10.10.254 would be available for DHCP pool client
* The IP address range of 10.10.10.2-192.168.1.31 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 4.2.2.5, 4.2.2.6, and 4.2.2.66 automatically as part of the dynamically assigned IP address process
* These 4.2.2.5, 4.2.2.6, and 4.2.2.66 should be either your local DNS/WINS servers or ISP-provided DNS servers

by aryoba See Profile
last modified: 2013-03-16 04:30:48

Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically. This means that the ISPs treat their subscriber's router as DHCP client.

When this is your case, then the following sample configuration is a good starting point to help you configure the firewall. There are two sample configurations provided here, one is the PIX version and another is ASA version. Note that both configurations are identical.

Typical network environment that might utilize following sample PIX/ASA configuration is as follows

* There is a modem in front of the PIX/ASA, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX/ASA via DHCP
* There is NAT/PAT in place on the PIX/ASA to translate internal IP addresses to the ISP-provided Public IP address
* The PIX/ASA is also acting as DHCP server to the local LAN, which provide dynamic IP info for hosts behind the PIX/ASA within the LAN

Note:

Keep in mind that there are two DHCP processes on this sample configuration. One is between your ISP and the PIX/ASA, and another is between the PIX/ASA and machines within your LAN. Your ISP would hand out specific WAN or Public IP address (i.e. 1.1.1.1) to the WAN interface of your PIX or ASA via ISP DHCP mechanism where your PIX/ASA would hand out completely different IP address for internal usage via PIX/ASA DHCP mechanism.

This sample PIX/ASA configuration assumes the followings

* Internal private IP subnet (for hosts behind the PIX): 10.0.0.0/24
* All of the hosts' gateway would be the PIX/ASA inside interface IP address: 10.0.0.1
* The IP address range of 10.0.0.30-10.0.0.254 would be available for DHCP pool client
* The IP address range of 10.0.0.2-10.0.0.29 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 68.87.64.196 and 68.87.66.196 automatically as part of the dynamically assigned IP address process
* When all hosts behind the PIX/ASA go out to the Internet, the hosts would be using the PIX/ASA outside interface IP address (which is the ISP-assigned Public IP address)
* Necessary ICMP packet coming from the Internet would be permitted to enter your LAN

SAMPLE CONFIGURATION

1. PIX

OS Version 6.3(3)

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 

2. PIX/ASA

OS Version 7.x to 8.2

hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
 

OS Version 8.3 or later

hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
!
object-group service ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp 0
icmp 3
icmp 11
!
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
!
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1500
mtu inside 1500
no asdm history enable
!
object network OBJ_GENERIC_ALL 
 subnet 0.0.0.0 0.0.0.0
!
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
!
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
 


Feedback received on this FAQ entry:
  • Ty a lot great

    2012-01-10 09:09:49

  • VERY GOOD DUDE

    2010-06-28 18:55:42

  • This is really great! You really helped me out with this article - Thanks for you work guys, I really appreciate that!

    2010-06-14 13:41:29



by aryoba See Profile
last modified: 2014-02-24 14:16:19

Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them using username and password. This means that the ISPs treat their subscriber's router as PPP client.

When this is your case, then the following sample configuration is a good starting point to help you configure the router. If your ISP requires you to use PPPoE for Internet access, the general idea is that you configure the router as PPPoE client to the ISP.

Following is the sample configuration using Cisco 2514 with IOS image version 12.3. Even though the example uses 2514 router, the configuration applies to any router that utilizes two ethernet interfaces for connection; including 871 router and 1841 router though you may need to adjust your configuration when the router run IOS image version different than 12.3 one.

Typical network environment that might utilize following sample router configuration is as follows
* There is a modem in front of the router, which the modem connects to the ISP
* ISP is providing Public IP address to the router via PPPoE
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address

This sample configuration applies to the setup where the modem is external as you may notice. If you have modem/router combo, then following FAQ is suggested.
»Cisco Forum FAQ »Configuring router with integrated ADSL modem running PPPoE

This sample router configuration assumes the followings
* Internal private IP subnet (for hosts behind the router): 10.10.10.0/24
* All of the hosts' gateway would be the router inside interface IP address: 10.10.10.1
* The IP address range of 10.10.10.2-10.10.10.254 would be available for hosts within your LAN
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)
* The router is not setup as DHCP server to LAN machines. You can check out the next PPP router sample configuration to illustrate of setting up a router as the DHCP server.

Sample Configuration
version 12.3
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname Router
!
!
enable password xxxxxxxxxx
no aaa new-model
ip subnet-zero
ip cef
!
!!!!! Configure Router as PPPoE Client to the ISP
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!!!!!
!
!
!
interface Ethernet0
description My LAN Interface
ip address 10.10.10.1 255.255.255.0
!!!! When NAT/PAT occurs, this interface is the source candidate (inside local)
ip nat inside
!!!!
no ip mroute-cache
no cdp enable
!
interface Ethernet1
description Physical ADSL Interface (Facing the ISP)
no ip address
no ip mroute-cache
!!!! Ties this interface to the Dialer interface 
pppoe enable
pppoe-client dial-pool-number 1
!!!!
no cdp enable
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
no cdp enable
!
interface Serial1
no ip address
no ip mroute-cache
shutdown
no cdp enable
!
interface Dialer1
description Logical ADSL Interface
ip address negotiated
ip mtu 1492
!!!! When NAT/PAT occurs, this interface is the destination candidate (inside global)
ip nat outside
!!!!
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
!!!!! Ties this logical interface to the proper physical interface
dialer pool 1
!!!!!
!!!!! Passing the protocol allowed by the "dialer-list" command
dialer-group 1
!!!!!
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [your username, provided by ISP]
ppp chap password 0 [your username password, given by ISP]
ppp pap sent-username [the username] password 0 [the password]
!!!! Default Gateway to the ISP
ppp ipcp route default
!
ppp ipcp dns request accept
ppp ipcp address accept
!
!!!! PAT subnets allowed by the ACL 10
ip nat inside source list 10 interface Dialer1 overload
!!!!
no ip http server
ip classless
!!!!
!
!
!!!! ACL 10 determines which subnet to be PATed
access-list 10 permit 10.10.10.0 0.0.0.255
!!!!
!!!! Determine which protocol to pass through
dialer-list 1 protocol ip permit
!!!!
no cdp run
!
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end
 

A Walkthrough
»Cisco Forum FAQ »Walkthrough of Configuring Cisco Routers for ADSL PPPoE using external modem

Note:
For those of you who curious to learn more of the PPPoE client configuration on Cisco router, you may issue the ? (questions mark) command to find out the available protocol list to do the VPDN dial. As a headsup, the pppoe may not show when you issue the ?. However when you enter the pppoe command, the router will take it without problem. In other words, the pppoe protocol choice command may somewhat be hidden.

More PPPoE sample configuration
»Cisco Forum FAQ »Wireless Router Sample Configuration

Some discussions
»getting my hand wet over cisco!! please help
»[Config] Cisco 1701 cant access some websites

Troubleshooting
PPPoE Troubleshooting Guide from official Cisco website in case something goes wrong

Side Note:
Some might argue that the configuration only applies to dynamic ISP IP address assignment. That when using static, the command under interface Dialer1 is "ip address x.x.x.x x.x.x.x" instead of "ip address negotiated". However, you may have to use "ip address negotiated" on static IP address to make everything work (the VPN, public server access, etc.) in some cases.

Check out the following FAQ for more info
»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address

Tips:
To find out the DNS IP addresses from your ISP for you to use through the ppp ipcp dns request accept, run debug ppp packet and terminal monitor commands. Watch the scrolling lines during this debug, especially regarding the IP address for the router and the DNS IP addresses. Once you see the DNS IP addresses from one of the scrolling lines, you can stop the debug and monitoring by issuing undebug ppp packet and terminal no monitor commands.

Feedback received on this FAQ entry:
  • This is perfect.thanks a lot.

    2013-07-10 02:44:16



by aryoba See Profile
last modified: 2013-12-30 06:44:32

Suggested pre-reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For a quick guide and some network topology, check out the following FAQ
»Cisco Forum FAQ »Quick Guide of Configuring Cisco router for PPPoE using external modem

This FAQ serves as a basic walk through of the above FAQ in order to provide deeper descriptions in configuring any Cisco routers running IOS with two Ethernet interfaces for ADSL. For more info, check out the above FAQ.

1. VPDN Group

First we will need to build the VPDN group so we will be able to add our dialer after we configure the Ethernet interface we will use for the WAN connection.
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#vpdn enable
router(config)#vpdn-group 1
router(config-vpdn)#request-dialin
router(config-vpdn)#protocol pppoe
router(config-vpdn)#exit


2. WAN interface

Now we configure one Ethernet interface for use as our WAN interface.
router(config)#interface Ethernet1
router(config-if)#description ADSL WAN Interface
router(config-if)#no ip address
router(config-if)#no ip redirects
router(config-if)#no ip unreachables
router(config-if)#no ip proxy-arp
router(config-if)#no ip mroute-cache
router(config-if)#pppoe enable
router(config-if)#no cdp enable
router(config-if)#exit

Now to add your Dialer interface
router(config)#interface Dialer1
router(config-if)#description ADSL WAN Dialer
router(config-if)#ip address negotiated
router(config-if)#no ip unreachables
router(config-if)#ip nat outside
router(config-if)#encapsulation ppp
router(config-if)#no ip mroute-cache
router(config-if)#dialer pool 1
router(config-if)#dialer-group 1
router(config-if)#no cdp enable


3. PPP Authentication

At this point you will need to find out what type of authentication your ISP requires. When you run into problems with this (ISP says one thing, it's actually something else...), you are suggested to turn on the debug ppp packet option to view low level packet output. Generally you will need to either use CHAP or PAP authentication. In some cases ISP requires both type of authentication. Following is how to set both up.
router(config-if)#ppp authentication chap pap callin
router(config-if)#ppp chap hostname [ENTER ISP USERNAME HERE]

You want to make sure that username is whatever your ISP requires. Some ISP like the full e-mail address and some just need the username. You may receive a letter or email regarding this info. Consult your ISP if you are unsure. Following is the setup.
router(config-if)#ppp chap password [ENTER ISP PASSWORD HERE]
router(config-if)#ppp pap sent-username [ENTER ISP USERNAME HERE] password [ENTER ISP PASS WORD HERE]

As you can see, with PAP as opposed to chap you input your username and password all at once in one command.

In some routers running newer IOS image, you may need to enter the password as it is (clear text) or encrypted. When you need to enter them as clear text, then you need to type in 0 (zero) then the password to indicate the password you are about to enter is in clear-text format. Similarly, you need to type in 7 (seven) followed by the password to indicate the password you are about to enter is in encrypted format.

4. Dialer interface IP traffic flow permission

You may notice that the Dialer1 interface is part of dialer group 1. This dialer group controls the Layer-3 protocol traffic that go over the Layer-2 PPP encapsulation. For this dialer group control, you need to specify which Layer-3 protocols the Dialer1 interface is allowed to pass through over the Layer-2 PPP. In this case, you want to pass IP protocols. Following is the setup.
router(config-if)#exit
router(config)#dialer-list 1 protocol ip permit


5. PPPoE MTU Size

One problem you may experience with many providers making constant changes to their network is with packet fragmentation from PCs with MTU Maximum Segment Size (MTU MSS) set too high with total of over the maximum/default Ethernet MTU size of 1500 bytes. Since PPPoE process adds an 8 byte encapsulation header, the MTU on the dialer interface should be 1492. The key is setting ip tcp adjust-mss 1440 command on the inside ethernet interface.

In regards of setting either MTU size of 1492, 1440, or else; you will find many different suggestions and recommendations out there. Some will say 1492 or 1460 MTU size instead of 1440. Some will even say 1452. A 1452 MSS is pretty much the standard for DSL with a PPPoE transport. Normal MSS (on Ethernet interfaces) is 1500 bytes. But you have to account for the 40 byte IP header and the 8 byte PPPoe header. That gets you to 1452.

Following is from the mouth of Cisco, "If you have ADSL running PPPoE and run into problems resolving DNS, adjust your MTU on your ethernet interface using the command ip tcp adjust-mss 1452. This is because PPPoE requires more bits in the header packet than any other type of circuit."

6. PPPoE over ATM cells as part of DSL physical connectivity

The last bit of optimization is a little more subtle and is a debatable topic. As the PPPoE traffic is carried over ATM cells, it has to be chopped up before it can be transmitted. ATM cells are 53 bytes long and have a 5 byte header, which make a total of 48 bytes of payload. If you were to take 1452 bytes of data and split it up across 48 byte payloads; then you would come up with 30.25 cells. The .25 is a 12 byte remainder that would have to be sent in a separate ATM cell. Since ATM cells are always 53 bytes, the payload would have to be stuffed with an additional 36 bytes of null data for that last chunk. With that in mind, to be completely optimized you would set the MSS to 1440 to eliminate those wasted 36 bytes.

Adjusting MTU size may be news to you, but the minute you do it all network-related problems might be fixed. With this in mind, note that MTU size should not be too big in order to avoid general connectivity issue. Similarly MTU size should not be too small in order to avoid ineffective traffic flow. Feel free to experiment to set MTU size to either 1452 or 1440 to see which size brings you the most suitable result.

Check out the following Cisco link
Troubleshooting MTU Size in PPPoE Dialin Connectivity
for additional information about adjusting Maximum Segment (MSS) sizes on your equipment.

Some discussions:
»Odd slowdowns with C1841 and Actiontec Q1000 bridge

Following is an example of MTU Size Implementation on PPPoE
router(config)#interface Dialer1
router(config-if)#ip mtu 1492
router(config-if)#ip tcp adjust-mss 1452
router(config-if)#exit


7. LAN interface

Now you configure the other Ethernet interface for use as the LAN interface.
router(config)#interface Ethernet0
router(config-if)#description ADSL LAN Interface

When adding the IP address you can pretty much put whatever on there as long as the rest of the NAT setup matches. Format is ip address and the subnet mask.
router(config-if)#ip address 10.10.10.1 255.255.255.0
router(config-if)#no ip redirects
router(config-if)#no ip unreachables
router(config-if)#no ip proxy-arp
router(config-if)#ip nat inside
router(config-if)#no ip mroute-cache
router(config-if)#no cdp enable
router(config-if)#exit

At this point you're done with the actual LAN/WAN setup. The next steps are just to add a few more parts to get everything working.

8. NAT, CDP, and IP Routing

We add our access-list for NAT:
router(config)#access-list 10 permit 10.10.10.0 0.0.0.255

disable CDP:
router(config)#no cdp run

and add our NAT source list.
router(config)#ip nat inside source list 10 interface Dialer1 overload

Turn on CIDR routing
router(config)#ip classless


9. Default Gateway and DNS

The final step is to add our default route to the internet, which there are two ways of doing so. One (the correct way) is to let PPP negotiation process determine the default gateway IP address. To do so, enter the following commands.
router(config)#interface Dialer1
router(config-if)#shutdown
router(config-if)#ppp ipcp route default
router(config-if)#no shutdown
router(config-if)#exit

On some IOS images, the ppp ipcp command is not supported unfortunately. When this applies to you, then you have no choice to either upgrade the IOS image that support the command or to use the following command.
router(config)#ip route 0.0.0.0 0.0.0.0 Dialer1

When your router IOS image does support ppp ipcp command, then following commands are suggested to be entered under the Dialer1 interface in addition to the ppp ipcp route default command.
ppp ipcp dns request accept
ppp ipcp address accept

to have the router receives ISP DNS IP addresses and WAN IP address through the PPP process. Note that these two commands are not requirements since the router can still do network functionality even without these two commands present.

Side note:
More info regarding IPCP and Dialer interface
»[Config] Configuring an 877W for use on BT Broadband help please

10. Last Touches and Improvements

After setting the default route, you should have a basic connection built and running. You will probably want to add a little more in the way of security such as setting vty, console, and enable passwords, as well as disabling any unnecessary services on the router and adding name servers, time servers, etc.

Feedback received on this FAQ entry:
  • excellent , i nee sme clarification in cisco 877.. 1.can we configure adsl without vpn ?

    2014-06-14 08:32:17

  • great article..thanx a lot :)

    2012-10-31 08:00:06

  • hi it was a wonderful knowledge that u shared...... keep it up ..... may god bless you and keep you always successful...

    2011-11-13 10:11:39

  • Very thorough! Much appreciated!!

    2011-09-21 17:20:44

  • Very very nice!thank you Mohamad farangisi from iran

    2011-07-30 18:09:59

  • Thanks for that. It got me out of a fix......

    2011-07-27 09:13:57

  • Excellent guide!!! Thanks a lot mate, I really appreciate it. Cheers

    2011-03-09 23:36:41

  • Very nice information regarding WAN ADSL Configuration.

    2010-05-27 01:42:57

  • Thanyou very very much. This document is greate and helped me configuring my Cisco 1841 with external modem. Many thanks Salman

    2010-05-21 17:01:45

  • Thanks, for a very very userfull, document

    2009-08-28 06:09:52



by amethyst1x See Profile edited by aryoba See Profile
last modified: 2014-04-08 10:53:55

OK fist we are going to start with PPP.
Note that any users on a DSL line using PPPoE would not be able to use PPP will get on that later...

Here is an example configuration for a Cisco 678 DMT.

First we are going to logging in to the command console here are the steps...

1* Connect the cable to the back of the router in the MGNT port and then to the back of your computer to COM 1.

2* Open Hyper Terminal and create a new connection, set it as follows, 1: Name the connection Cisco, 2: Ignore the first three fields and in the third "Connect using" set it to COM1. Click ok.

3* Set Bits per second to 38400, Data Bits 8, parity none, Stop Bits 1, Flow control None. click ok.
Then your Hyper Terminal Session screen will pop up. Hit Enter.

5* User Access Verification
Password: Is the next thing that appears. If this is a new router hit enter. Otherwise enter the password and hit enter.

6* cbos> appears. Type enable and hit enter.

7* enter the exec password then enter or hit enter if a new router.

8* cbos# appears. You are now in "Enable" mode and can setup your DSL router!

Here is a list of commands that will get up up and running if your ISP set you up with a dynamic IP address.

set nvram erase
write
reboot
Get back into the "enable" mode as you did above.
set password enable ~Make up a password~
set password exec ~Make up a password~ I use the same password I did above, easier to remember
set ppp restart enabled
set ppp wan0-0 ipcp 0.0.0.0
set ppp wan0-0 dns 0.0.0.0
set ppp wan0-0 login ( Supplied by your ISP )
set ppp wan0-0 password ( Supplied by your ISP )
set nat enable
set nat timeout udp 3600 ( for online gaming )
set nat timeout icmp 3600 ( for online gaming )
set dhcp server enable
set int wan0-0 disable
write
set int wan0-0 vpi 0 ( Supplied by your ISP )
set int wan0-0 vci 35 ( Supplied by your ISP )
set int wan0-0 enable
set ppp wan0-0 subnet 0.0.0.0
set web disable ( Code Red Virus Deterrent!)
set web port 8081 ( Code Red Virus Deterrent!)
set web remote 255.255.255.255 ( Code Red Virus Deterrent!)
write
reboot

You are finished! Close Hyper Terminal and you should be able to connect to the Internet!

Note:
On CBOS 2.4.6 and up you do not have to set the web disable because these burnability is address...
But for double security you can still disable it ;)
Also the VPI/VCI vary upon ISP so you might want to call your ISP and ask them what is there VPI/VCI. The one I posted above is for SBC.

Now here are the steps for PPP if you have a Cisco 678 CAP.

1* Connect the cable to the back of the router in the MGNT port and then to the back of your computer to COM 1.

2* Open Hyper Terminal and create a new connection, set it as follows, 1: Name the connection Cisco, 2: Ignore the first three fields and in the third "Connect using" set it to COM1. Click ok.

3* Set Bits per second to 38400, Data Bits 8, parity none, Stop Bits 1, Flow control None. click ok.
Then your Hyper Terminal Session screen will pop up. Hit Enter.

5* User Access Verification
Password: Is the next thing that appears. If this is a new router hit enter. Otherwise enter the password and hit enter.

6* cbos> appears. Type enable and hit enter.

7* enter the exec password then enter or hit enter if a new router.

8* cbos# appears. You are now in "Enable" mode and can setup your DSL router!

set nvram erase
write
reboot
Get back into the "enable" mode as you did above.
set password enable ~Make up a password~
set password exec ~Make up a password~ I use the same password I did above, easier to remember
set ppp restart enabled
set ppp wan0-0 ipcp 0.0.0.0
set ppp wan0-0 dns 0.0.0.0
set ppp wan0-0 login ( Supplied by your ISP )
set ppp wan0-0 password ( Supplied by your ISP )
set nat enable
set nat timeout udp 3600 ( for online gaming )
set nat timeout icmp 3600 ( for online gaming )
set dhcp server enable
set web disable ( Code Red Virus Deterrent!)
set web port 8081 ( Code Red Virus Deterrent!)
set web remote 255.255.255.255 ( Code Red Virus Deterrent!)
write
reboot

You are finished! Close Hyper Terminal and you should be able to connect to the Internet

And you are done :)

Now to bridge mode :)
To any DSL ISP that uses PPPoE these is the only option you only have to use with these modem because the Cisco 678 does not uses PPPoE for authentication.
So you will need a router or a Hardware Firewall to handle the PPPoE for you.

1* Connect the cable to the back of the router in the MGNT port and then to the back of your computer to COM 1.

2* Open Hyper Terminal and create a new connection, set it as follows, 1: Name the connection Cisco, 2: Ignore the first three fields and in the third "Connect using" set it to COM1. Click ok.

3* Set Bits per second to 38400, Data Bits 8, parity none, Stop Bits 1, Flow control None. click ok.
Then your Hyper Terminal Session screen will pop up. Hit Enter.

5* User Access Verification
Password: Is the next thing that appears. If this is a new router hit enter. Otherwise enter the password and hit enter.

6* cbos> appears. Type enable and hit enter.

7* enter the exec password then enter or hit enter if a new router.

8* cbos# appears. You are now in "Enable" mode and can setup your DSL router!

set nvram erase
write
reboot
Get back into the "enable" mode as you did above.
set password enable ~Make up a password~
set password exec ~Make up a password~ I use the same password I did above, easier to remember.
set bridging rfc1483 enable
write
reboot
enable
set client dhcp enable or (disable if your going to do dhcp from firewall)
write
set int wan0-0 disable
write
set int wan0-0 vpi 0 ( Supplied by your ISP )
set int wan0-0 vci 35 ( Supplied by your ISP )
set int wan0-0 enable
set web disable ( Code Red Virus Deterrent!)
set web port 8081 ( Code Red Virus Deterrent!)
set web remote 255.255.255.255 ( Code Red Virus Deterrent!)
write
reboot

You are finished! Close Hyper Terminal and you should be able to connect to the Internet

These will get you going in no time :)

Good Luck.

by XCOM See Profile edited by aryoba See Profile
last modified: 2005-11-12 07:52:15

The following configuration is courtesy of dh_supreme See Profile and may be found in its original format in this thread.


set nvram erase
set password exec (whatever password u desire)
write
set ppp wan0-0 dns 0.0.0.0
set ppp wan0-0 ipcp 0.0.0.0
set ppp wan0-0 login (keycode1@msndsl.net here)
set ppp wan0-0 password (keycode2 here)
set dhcp server enable
set nat enable
set int wan0-0 close
set int wan0-0 vpi 0
set int wan0-0 vci 32
set int wan0-0 open
set ppp restart enable
write
reboot

set nat entry delete all
set nat entry add 10.0.0.2 1-22 0.0.0.0 1-22 tcp
set nat entry add 10.0.0.2 1-22 0.0.0.0 1-22 udp
set nat entry add 10.0.0.2 24-65535 0.0.0.0 24-65535 tcp
set nat entry add 10.0.0.2 24-65535 0.0.0.0 24-65535 udp
write
reboot

I set my nat to forward all ports except 23.

I then use the nat in my router to control what ports are open and where they can go.



by Covenant See Profile edited by aryoba See Profile
last modified: 2005-11-12 07:52:34

Some references
Cisco DSL Router Configuration and Troubleshooting Guide - PPPoE Online Form
Cisco DSL Router Configuration and Troubleshooting Guide - PPPoE: DSL Router as a PPPoE Client Troubleshooting

Suggested pre-reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them using username and password. This means that the ISPs treat their subscriber's router as PPP client.

When this is your case, then the following sample configuration is a good starting point to help you configure the router. If your ISP requires you to use PPPoE for Internet access, the general idea is that you configure the router as PPPoE client to the ISP.

You may note that integrated ADSL modem/router utilizes ATM interface as the DSL (WAN) interface to connect to the ISP. Therefore there will be ATM frame specification consideration in DSL modem/router configuration, specially with MTU size which will be discussed later on.

Following is the sample configuration using Cisco 827 with IOS image version of 12.1. Note that even though the example uses 827 router, the configuration applies to any router that utilizes ATM/DSL interface to ISP connection and Ethernet interface for LAN connection; including 877 router and 1841 router with WIC-1ADSL card; though in some instances you may need to adjust the configuration when your router is running IOS image version different than 12.1 one.

Typical network environment that might utilize following sample router configuration is as follows

* There is a no modem in front of the router
* The router has integrated DSL/ATM modem, which would connect to the ISP
* ISP acknowledges the router Public IP address via PPPoE
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address

This sample configuration applies to a modem/router combo setup as you may notice. If your setup is having an external modem that your router connects to, then following FAQ is suggested.
»Cisco Forum FAQ »Quick Guide of Configuring Cisco router for PPPoE using external modem

This sample router configuration assumes the followings

* The Ameritech (SBC/AT&T) as the ISP uses 0/35 as the VPI/VCI which may not reflect your ISP VPI/VCI value. Confirm with your ISP regarding the value.
* Internal private IP subnet (for hosts behind the router): 10.10.10.0/24
* All of the hosts' gateway would be the router inside interface IP address: 10.10.10.1
* The IP address range of 10.10.10.2-10.10.10.254 would be available for hosts within your LAN
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)
* The router does not act as DHCP server; hence it is either static IP address assignment is required to all hosts, or there is a separate DHCP server dynamically assign IP addresses to all hosts
* The outside interface IP address is statically assigned in addition of PPP configuration. If your ISP requires you to have dynamically-assigned IP address, then you can simply issue ip address negotiated command instead. Check out following notes for this specific issue.

Notes:

* This sample configuration assumes that you have a Static Public IP address services from the ISP. This static Public IP address is noted on the ip address 69.33.10.11 255.255.255.0 command under the interface Dialer1 configuration
* When you have Dynamic Public IP address services from your ISP, then you should not have ip address 69.33.10.11 255.255.255.0 command under the interface Dialer1 configuration and ip route 0.0.0.0 0.0.0.0 [ISP DEFAULT GATEWAY IP ADDRESS] command under the global configuration. Instead you implement ip address negotiated and ppp ipcp route default commands under the interface Dialer1 configuration

The sample configuration then should look like the following from the interface Dialer1 down to the end

interface Dialer1
ip address negotiated
ip mtu 1492
encapsulation ppp
ip nat outside
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ppp-username@megapathdsl.net
ppp chap password 7 Encrypted password
ppp pap sent-username ppp-username@megapathdsl.net password 7 encrypted password
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip classless
no ip http server
ip nat inside source list 10 interface Dialer1 overload
!
dialer-list 1 protocol ip permit
!
access-list 10 permit 10.10.10.0 0.0.0.255
line con 0
password 7 XXXXXXXXX
transport input none
stopbits 1
line vty 0 4
exec-timeout 30 0
password 7 XXXXXXXXX
login
length 0
!
scheduler max-task-time 5000
end
 

* Note that the ppp ipcp route default command might not be supported on some IOS images. When this is your case, then you either upgrade the router IOS image or implement ip route 0.0.0.0 0.0.0.0 Dialer1 command under the global configuration as a replacement

More info about IPCP and Dialer interface
»[Config] Configuring an 877W for use on BT Broadband help please

Without upgrading the IOS image, the sample configuration then should look like the following from the interface Dialer1 down to the end

interface Dialer1
ip address negotiated
ip mtu 1492
encapsulation ppp
ip nat outside
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ppp-username@megapathdsl.net
ppp chap password 7 Encrypted password
ppp pap sent-username ppp-username@megapathdsl.net password 7 encrypted password
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip nat inside source list 10 interface Dialer1 overload
!
dialer-list 1 protocol ip permit
!
access-list 10 permit 10.10.10.0 0.0.0.255
line con 0
password 7 XXXXXXXXX
transport input none
stopbits 1
line vty 0 4
exec-timeout 30 0
password 7 XXXXXXXXX
login
length 0
!
scheduler max-task-time 5000
end
 

* Some Static Public IP address services do require ip address negotiated command under the interface Dialer1 configuration and ip route 0.0.0.0 0.0.0.0 Dialer1 command under the global configuration to make it work. Check out the following FAQ for details

»Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address

MTU Size regarding PPPoE over ATM/DSL

This FAQ provides a guaranteed working config for anyone using any ADSL PPPoE connectivity types such as Ameritech ADSL for their circuit provider and Megapath.net for ISP. It took two calls to Cisco and weeks of fighting with ISP tech support, but there was a valuable lesson learned about ADSL PPPoE specifically.

In case you are unaware, the maximum/default Ethernet MTU size is 1500 bytes. The Dialer interface uses PPPoE (PPP over Ethernet) which then has comply with such MTU size specification. Since PPPoE process adds an 8 byte encapsulation header, the Dialer interface should be 1492 as PPPoE adds an 8 byte encapsulation header. The key is setting ip tcp adjust-mss 1440 on the inside Ethernet interface.

You will find many different suggestions and recommendations out there. Some will say 1492 or 1460 to set the Dialer interface MTU size. Some will even say 1452. A 1452 MSS value is pretty much the standard for DSL with a PPPoE transport. Normal MSS is 1500 bytes. But you have to account for the 40 byte IP header and the 8 byte PPPoe header. That gets you to 1452.

Following is from the mouth of Cisco, "If you have ADSL running PPPoE and run into problems resolving DNS, adjust your MTU on your ethernet interface using the ip tcp adjust-mss 1452 command. This is because PPPoE requires more bits in the header packet than any other type of circuit."

The last bit of optimization is a little more subtle and is a debatable topic. As the PPPoE traffic is carried over ATM cells, it has to be chopped up before it can be transmitted. ATM cells are 53 bytes long and have a 5 byte header. So a total of 48 bytes of payload. If you were to take 1452 bytes of data and split it up across 48 byte payloads. You would come up with 30.25 cells. The .25 is a 12 byte remainder that would have to be sent in a separate ATM cell. ATM cells are always 53 bytes. So the payload would have to be stuffed with an additional 36 bytes of null data for that last chunk. So to be completely optimized you would set the MSS to 1440 to eliminate those wasted 36 bytes.

Adjusting MTU size was news to a lot of people, but the minute we did it all general connectivity problems were fixed. With this in mind, note that MTU size should not be too big in order to avoid general connectivity issue. Similarly MTU size should not be too small in order to avoid ineffective traffic flow. Feel free to experiment to set MTU size to either 1452 or 1440 to see which size brings you the most suitable result.

MTU Discussion
»Best IOS for 1801W

So with that in mind, here is a 100% working config from my 827 ADSL router. Hope this lesson I learned helps someone out in the future!!!!

SAMPLE CONFIGURATION

1. Earlier IOS Version

Router#sh run
Building configuration...
 
Current configuration : 2593 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
ip subnet-zero
no ip finger
ip name-server 66.80.130.23
ip name-server 66.80.131.5
!
no ip dhcp-client network-discovery
vpdn enable
no vpdn logging
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452 
no ip mroute-cache
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.35 point-to-point
pvc 0/35
protocol pppoe
pppoe-client dial-pool-number 1
!
!
!
interface Dialer1
ip address 69.33.10.11 255.255.255.0
ip mtu 1492
encapsulation ppp
ip nat outside
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ppp-username@megapathdsl.net
ppp chap password 7 Encrypted password
ppp pap sent-username ppp-username@megapathdsl.net password 7 encrypted password
!
ip classless
ip route 0.0.0.0 0.0.0.0 69.33.10.1
no ip http server
ip nat inside source list 10 interface Dialer1 overload
!
dialer-list 1 protocol ip permit
!
access-list 10 permit 10.10.10.0 0.0.0.255
line con 0
password 7 XXXXXXXXX
transport input none
stopbits 1
line vty 0 4
exec-timeout 30 0
password 7 XXXXXXXXX
login
length 0
!
scheduler max-task-time 5000
end
 


Thanks to sanchito75 See Profile for this post leading to this FAQ.

2. IOS Version 12.4

Note:
All PPPoE-related commands on earlier IOS version apply to the IOS version 12.4. However only some of those commands may show during the show running-config command deployment since in IOS version 12.4, some PPPoE commands are no longer needed. Following is the final result of entering earlier IOS version PPPoE commands on routers running IOS version 12.4 image.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime year
service timestamps log datetime msec localtime year
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 *******
!
no aaa new-model
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
vpdn enable
!
!
interface FastEthernet0/0
 description To Layer-2 Switch
 ip address 10.10.10.1 255.255.255.240
 ip nat inside
 duplex auto
 speed auto
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface ATM0/0
 description ADSL To SBC
 no ip address
 ip route-cache flow
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0/0.35 point-to-point
 description SBC VPI/VCI = 0/35
 no snmp trap link-status
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
!
interface Dialer1
 description To SBC
 ip address negotiated
 no ip redirects
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 2
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname *******
 ppp chap password 7 *******
 ppp pap sent-username ****** password 7 ******
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
ip nat inside source list 10 interface Dialer1 overload
!
access-list 10 permit 10.0.0.0 0.255.255.255
dialer-list 2 protocol ip permit
!
line con 0
line aux 0
line vty 0 4
 access-class 10 in
!
scheduler max-task-time 5000
ntp clock-period 17208407
ntp source Dialer1
ntp server 192.5.41.41 prefer
ntp server 192.5.41.209
!
end
 

Tips:
To find out the DNS IP addresses from your ISP for you to use through the ppp ipcp dns request accept, run debug ppp packet and terminal monitor commands. Watch the scrolling lines during this debug, especially regarding the IP address for the router and the DNS IP addresses. Once you see the DNS IP addresses from one of the scrolling lines, you can stop the debug and monitoring by issuing undebug ppp packet and terminal no monitor commands.



by nozero See Profile edited by aryoba See Profile
last modified: 2014-04-08 10:35:53

Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For many cable and DSL internet connections, the ISPs inform their customers (subscribers) to set their router to receive IP address from them automatically with username and password. This means that the ISPs treat their subscriber's router as PPP client.

When this is your case, then the following sample configuration is a good starting point to help you configure the firewall. Typical network environment that might utilize following sample PIX/ASA configuration is as follows

* There is a modem in front of the PIX/ASA, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX/ASA via PPPoE
* There is NAT/PAT in place on the PIX/ASA to translate internal IP addresses to the ISP-provided Public IP address
* The PIX/ASA is also acting as DHCP server to local LAN, which provide dynamic IP info for hosts behind the PIX/ASA within the LAN

This sample PIX/ASA configuration assumes the followings

* Internal private IP subnet (for hosts behind the PIX/ASA): 10.0.0.0/24
* All of the hosts' gateway would be the PIX/ASA inside interface IP address: 10.0.0.1
* The IP address range of 10.0.0.30-10.0.0.254 would be available for DHCP pool client
* The IP address range of 10.0.0.2-10.0.0.29 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 68.87.64.196 and 68.87.66.196 automatically as part of the dynamically assigned IP address process
* When all hosts behind the PIX/ASA go out to the Internet, the hosts would be using the PIX/ASA outside interface IP address (which is the ISP-assigned Public IP address)
* Necessary ICMP packet coming from the Internet would be permitted to enter your LAN

SAMPLE CONFIGURATION

1. PIX

OS Version 6.3

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
pager lines 24
mtu outside 1492
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [ENTER ISP USERNAME HERE]
vpdn group pppoex ppp authentication chap (or PAP, depends on your ISP settings)
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 

2. PIX/ASA

OS version 7.x to 8.2

hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1492
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [ENTER ISP USERNAME HERE]
vpdn group pppoex ppp authentication chap (or PAP, depends on your ISP settings)
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
 

OS Version 8.3 or later

hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
!
object-group service ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp 0
icmp 3
icmp 11
!
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
!
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1492
mtu inside 1500
no asdm history enable
!
object network OBJ_GENERIC_ALL 
 subnet 0.0.0.0 0.0.0.0
 
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
!
access-group INBOUND in interface outside
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname [ENTER ISP USERNAME HERE]
vpdn group pppoex ppp authentication chap (or PAP, depends on your ISP settings)
vpdn username [ENTER ISP USERNAME HERE] password [ENTER ISP PASSWORD HERE]
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
 

MTU Setting Notes:
* Typical Ethernet connection uses 1500 bytes MTU
* PPPoE uses a 8 bytes overhead MTU, therefore there is only a 1492 bytes MTU left for data
* PPPoE process takes place on the outside interface where the PIX/ASA is connecting to the ISP
* There is just regular Ethernet connection on the inside interface where the PIX/ASA is connecting to the inside LAN
* The 1492 bytes MTU should only take place on the outside interface and keep 1500 bytes MTU on the inside interface

Field Notices:
* PIX 501 firewall running version 6.3 refuses to accept the "ip address ... pppoe" command if the outside interface has been named anything other than "outside" (i.e. named as "ext"). In order to execute this command, you need to rename the interface name to "outside" (with the "nameif" command), and then issue the "ip address outside pppoe" command

by aryoba See Profile
last modified: 2014-02-24 14:23:00

Some references
PPPoA Baseline Architecture
Cisco DSL Router Configuration and Troubleshooting Guide - PPPoA Online Form
Cisco DSL Router Configuration and Troubleshooting Guide - PPPoE Online Form
Cisco DSL Router Configuration and Troubleshooting Guide - PPPoE: DSL Router as a PPPoE Client Troubleshooting

Note: the steps here are only for the purpose of getting connected to your ISP. Other issues like security and features are not inclusive. They are where you enter your details. You will need to edit this for your use.

PPPoA

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface ethernet 0
router(config)#no ip http server
Router(config-if)#ip address 10.10.10.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface dialer 0

If you are assigned a static IP by your ISP, then follow this command
Router(config-if)#ip address [YOUR IP ADDRESS ASSIGNED BY ISP] [SUBNET MASK]

If you are assigned a dynamic IP address by your ISP, then follow this command
Router(config-if)#ip address negotiated

Continue with the rest of command
Router(config-if)#ip nat outside
Router(config-if)#encapsulation ppp
Router(config-if)#dialer pool 1
Router(config-if)#ppp pap sent-username password
Router(config-if)#exit
Router(config)#interface atm 0
Router(config-if)#pvc
Router(config-if-atm-vc)#en aal5mux ppp dialer
Router(config-if-atm-vc)#dialer pool-member 1
Router(config-if-atm-vc)#no shutdown
Router(config-if)#exit
Router(config)#ip nat inside source list 1 interface dialer 0 overload

If you are assigned a static IP by your ISP, then follow this command
Router(config)#ip route 0.0.0.0 0.0.0.0

If you are assigned a dynamic IP address by your ISP, then follow this command
Router(config)#ip route 0.0.0.0 0.0.0.0 dialer 0

Continue with the rest of command
Router(config)#access-list 1 permit 10.10.10.0 0.0.0.255
Router(config)#exit
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#


PPPoE
!
!
!
!
Configuration for PPPoE with NAT
Note: Pls note that the steps here are only for the purpose of getting connected with your ISP. Other issues like security and features are not inclusive. They are where you enter your details

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no ip http server
Router(config)#vpdn enable
Router(config)#vpdn-group ppoe
Router(config-vpdn)#request-dialin
Router(config-vpdn-req-in)#protocol pppoe
Router(config-vpdn-req-in)#exit
Router(config-vpdn)#exit
Router(config)#interface ethernet0
Router(config-if)#ip address 10.10.10.1 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface atm0
Router(config-if)#pvc
Router(config-if)#no shutdown
Router(config-if-atm-vc)#pppoe-client dial-pool-number 1
Router(config-if-atm-vc)#exit
Router(config-if)#exit
Router(config)#int dialer 1

f you are assigned a static IP by your ISP, then follow this command
Router(config-if)#ip address [YOUR IP ADDRESS ASSIGNED BY ISP] [SUBNET MASK]

If you are assigned a dynamic IP address by your ISP, then follow this command
Router(config-if)#ip address negotiated

Continue with the rest of command
Router(config-if)#ip mtu 1492
Router(config-if)#ip nat outside
Router(config-if)#dialer pool 1
Router(config-if)#ppp authentication pap callin
Router(config-if)#ppp pap sent-username password
Router(config-if)#exit
Router(config)#ip nat inside source list 1 interface dialer 1 overload
Router(config)#ip classless

If you are assigned a static IP by your ISP, then follow this command
Router(config)#ip route 0.0.0.0 0.0.0.0

If you are assigned a dynamic IP address by your ISP, then follow this command
Router(config)#ip route 0.0.0.0 0.0.0.0 dialer 1

Continue with the rest of command
Router(config)#no ip http server
Router(config)#access-list 1 permit 10.10.10.1 0.0.0.255
Router(config)#exit
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#

This FAQ provided by member sanchito75 See Profile

by nozero See Profile edited by aryoba See Profile
last modified: 2012-09-12 09:13:20

Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

Here is a working configuration for a Cisco 1720 router for a UK ADSL ISP as PPPoA client. The 1720 is fitted with 48MB DRAM/16MB FLASH and running IOS 12.3(1).

It also has, obviously, a WIC-1ADSL module and a WIC-2T (not currently used).

In the configuration is also included an example of how to build 3 GRE tunnels to remote sites and how to synchronize the router clock with a NTP time source.

I hope someone will find this of use.

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1720
!
enable password 7 xxxxxxxx
!
username xxxxxxx@dslgateb.xxxxxxxx.co.uk password 7 xxxxxxxx
username xxxxxxx password 7 xxxxxxx
memory-size iomem 25
ip subnet-zero
!
!
ip name-server 193.xxx.xxx.xxx
ip name-server 194.xxx.xxx.xxx
ip name-server 194.xxx.xxx.xxx
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
xsm
xsm vdm
xsm edm
xsm history vdm
xsm history edm
!
interface Loopback0
description +++ Always Up Interface +++
ip address 10.10.10.10 255.255.255.255
!
interface Tunnel0
description +++ IP GRE VPN TO Office1 +++
ip address 192.168.xxx.2 255.255.255.252
tunnel source 213.xxx.xxx.76
tunnel destination 213.xxx.xxx.114
tunnel key 123abc
!
interface Tunnel1
description ++++ IP GRE VPN To Office2 ++++
ip address 192.168.xxx.9 255.255.255.252
tunnel source 213.xxx.xxx.76
tunnel destination 213.xxx.xxx.113
tunnel key 123abc
!
interface Tunnel2
description ++++ IP GRE VPN To Office3 ++++
ip address 192.xxx.xxx.13 255.255.255.252
tunnel source 213.xxx.xxx.76
tunnel destination 80.xxx.xxx.xxx
tunnel key 123abc
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface FastEthernet0
description +++ Connection To LAN +++
ip address 192.168.30.1 255.255.255.0
ip nat inside
speed auto
full-duplex
!
interface Serial0
no ip address
shutdown
no fair-queue
!
interface Serial1
no ip address
shutdown
!
interface Dialer0
description +++ Connection To ISP ADSL +++
ip address 213.xxx.xxx.76 255.255.255.0
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxx@dslgateb.xxxxxxx.co.uk
ppp chap password 7 xxxxxxxx
ppp pap sent-username xxxxxxx@dslgateb.xxxxxxx.co.uk password 7 xxxxxxx
!
router eigrp 1
redistribute connected
network 10.0.0.0
network 192.168.xxx.0
network 192.168.xxx.0
network 213.xxx.xxx.0
no auto-summary
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.10 443 interface Dialer0 443
ip nat inside source static tcp 10.10.10.10 23 interface Dialer0 23
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http secure-server
!
!
access-list 1 permit any
!
banner motd ^C

****************************
* WARNING BANNER *
****************************

WARNING - authorized users only

The owner and any subsidiary companies, has proprietary rights
over this system and data. Unauthorized access is unlawful and may
result in disciplinary action and/or legal proceedings.

Access to this system is monitored.
^C
!
line con 0
line aux 0
line vty 0 4
exec-timeout 60 0
password 7 xxxxxxx
login local
transport input telnet
!
ntp clock-period 17179651
ntp server 128.2.129.21
!
end

Cisco1720#

by Domwilko See Profile edited by aryoba See Profile
last modified: 2007-12-31 09:25:23

Some references
PPPoA Baseline Architecture
Cisco DSL Router Configuration and Troubleshooting Guide - PPPoA Online Form

The sample configuration provided in the thread should work with any Cisco router with integrated ADSL modem running PPPoA; such as 827, 837, 857, 877, and on.

Since the configuration is coming from ISP UK Zen customer, some parameters might not work for your ISP (i.e. the VPI/VCI or PVC value). Following is some ISP known parameters which may change at anytime.

Orange
VPI/VCI pair 8/35
PPPoA service, with provided username and password
PPP authentication method is either PAP or CHAP

As with any ISP connection using ADSL, please confirm the ISP DSL signaling and VPI/VCI values.

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname adsl-router
!
boot-start-marker
boot-end-marker
!
logging buffered 16256 debugging
logging rate-limit 15
enable secret 5 xxx
!
clock timezone GMT 0
clock summer-time BST recurring 3 Sat Mar 1:00 last Sun Oct 2:00
no aaa new-model
!
!
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
no ip bootp server
!
!
interface ATM0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
!
interface FastEthernet0/0
 description LAN
 ip address 192.168.1.1 255.255.255.0
 speed 100
 full-duplex
 ip nat inside
!
interface Dialer1
 description WIC1-ADSL Dialer to Zen
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 2
 dialer idle-timeout 0
 no cdp enable
 ppp chap hostname zenxxx@zen
 ppp chap password 7 xxx
 ppp pap sent-username zenxxx@zen password 7 xxx
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
!
!
ip nat inside source list 1 interface Dialer1 overload
no ip http server
no ip http secure-server
ip classless
!
!
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
dialer-list 2 protocol permit ip
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
 

More Sample Configuration

Official Cisco documentation
Configuring a Cisco 827 Router Using PPPoA With CHAP and PAP

Some discussions

»Anyone successfully using a Cisco 877 with Qwest?
»[Config] Configuring an 877W for use on BT Broadband help please

Tips:
To find out the DNS IP addresses from your ISP for you to use through the ppp ipcp dns request accept, run debug ppp packet and terminal monitor commands. Watch the scrolling lines during this debug, especially regarding the IP address for the router and the DNS IP addresses. Once you see the DNS IP addresses from one of the scrolling lines, you can stop the debug and monitoring by issuing undebug ppp packet and terminal no monitor commands.

by aryoba See Profile
last modified: 2014-05-08 14:56:24

Some references
PPPoA Baseline Architecture
Cisco DSL Router Configuration and Troubleshooting Guide - PPPoA Online Form

Please note this is taken from the Cisco website and can be found in its original form at Cisco DSL Router - PPPoA with a Dynamic IP Address.

Also note that the comments tag "!!" are comments appended by myself and in no way constitute comments made by Cisco. The person who posted this is not liable for any network problems or any damage caused by configuring their router to the following specification. If in doubt, ask the Cisco forum for any advice.

Type exactly as shown (except the comments which are shown with a preceding "!" or "!!")

Substitute the items in () with your own configuration.

!--- Comments contain explanations and additional information.
!!-- Comments contain explanations and additional information.

service timestamps debug datetime msec
service timestamps log datetime msec
ip subnet-zero
!
ip dhcp excluded-address (ip address of ethernet0)
ip dhcp pool (dhcp pool name)
network (ip network address of ethernet0) (subnet mask)
default-router (ip address of ethernet0)
dns-server (ip address of dns server)
!
!! The DHCP configuration above is optional and it allows your router to assign
!! ip address within the specified range that you input. If you have a server
!! on the network which will do that, then omit it. Note that within the ip
!! dhcp excluded-address you may also put down the ip address of your switch
!! and other devices which require a static ip address.
!! A network address is the network portion of an IP address, ex. for a class C
!! ip address of 192.168.1.1 it would be 192.168.1.0.
!! Add the DNS servers of your ISP (ring them or check their website to get it)
!! and you may put in a whole list if you so desire as they are sure to have
!! many.

interface ethernet0
no shut
ip address (ip address) (subnet mask)
ip nat inside
no ip directed-broadcast
!
!! The ip nat inside statement (3 lines above this) is optional and it allows
!! the sharing of the dynamic public IP address of the Dialer interface.

interface atm0
no shut
no ip address
no ip directed-broadcast
no ip mroute-cache
pvc (vpi/vci)
encapsulation aal5mux ppp dialer
dialer pool-member 1
!--- Common PVC values supported by ISPs are 0/35 or 8/35.
!--- Confirm your PVC values with your ISP.
!
interface dialer1
ip address negotiated
no ip directed-broadcast
ip nat outside
encapsulation ppp
dialer pool 1
ppp chap hostname (username)
ppp chap password (password)
ppp pap sent-username (username) password (password)
!
!! Again only input the statement ip nat outside (7 lines above this) if you
!! want to configure NAT.

ip nat inside source list 1 interface dialer1 overload
!--- If you have a pool (a range) of public IP addresses provided
!--- by your ISP, you can use a NAT Pool. Replace
!--- ip nat inside source list 1 interface dialer1 overload

!--- with the following two configuration statements:
!--- ip nat inside source list 1 pool (nat pool name) overload
!--- ip nat pool (nat pool name) (first ip address) (last ip address)
!--- netmask (subnet mask)

!--- If Internet users require access to an internal server, you can
!--- add the following static NAT configuration statement:
!--- ip nat inside source static tcp (inside ip address of server) {80 or 25}
!--- (outside well-known ip address of server) {80 or 25} extendable
!--- Note: TCP port 80 (HTTP/web) and TCP port 25 (SMTP/mail) are used
!--- for this example. You can open other TCP or UDP ports, if needed.
!
!! Again use the above 3 paragraphs of configuration statements if you want to
!! configure NAT because your ISP has provided you with additional IP address
!! and if you want users to have access to internal servers (web or email
!! servers).

ip classless
ip route 0.0.0.0 0.0.0.0 dialer1
access-list 1 permit (ip network address of ethernet0) (wildcard mask)
!--- In this configuration, access-list 1 defines a standard access list
!--- permitting the addresses that NAT will translate. For example, if
!--- your private IP network was 10.10.10.0, configuring
!--- access-list 1 permit 10.10.10.0 0.0.0.255 would allow NAT to translate
!--- packets with source addresses between 10.10.10.0 and 10.10.10.255.
!

end

by Covenant See Profile edited by aryoba See Profile
last modified: 2012-09-12 09:10:47

For the splash page for PPPoE:

PPPoE Online Form

There is an online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details required from your ISP.

Once that is done, print it out or make a note of the details and scroll down to the bottom, and click New DSL Configuration.

On the next page, you must choose from the two options, whether your router OR PC will be the PPPoE client.

Click on the relevant link.

Cisco DSL Router is the PPPoE Client

If you click on the The Cisco DSL Router router is the PPPoE client, you will be taken to another page, which asks you whether your IP is dynamic or static.

Click on the relevant link and you will be taken to the page that you requested.

If you have not configured a Cisco router before, click on the last word in the sentence. Note that the link here is NOT active, its only to show you the sentence:

The above link can usually be found in the second paragraph after the hard rule at the top.

The PC is the PPPoE client

If you clicked on the The PC is the PPPoE client, you will be taken to the configuration page straight away.

To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.


For the splash page for PPPoA:

PPPoA Online Form

There is an online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details from your ISP.

Once that is done, print it out or make a note of the details and scroll down to the bottom, and click New DSL Configuration.

You will be taken to another page, which asks you whether your IP is dynamic or static.

Click on the relevant link, and it will take you to a sample configuration output.

To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.


For the splash page for RFC1483 Bridging:

RFC1483 Bridging Implementations

You must select one of the Bridging options on show before you can proceed further.

RFC1483 Bridging with IRB

There is an online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details from your ISP.

Once that is done, print it out or make a note of the details and scroll down to the bottom, and click New DSL Configuration.

You will be taken to another page, which asks you whether your IP is dynamic or static.

Click on the relevant link, and it will take you to a sample configuration output.

To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.

RFC1483 Pure Bridging

There is an online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details from your ISP.

It will take you to a sample configuration output.

To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.


For the splash page for RFC1483 Routing:

RFC1483 Routing Online Form

The splash page for RFC1483 Routing is the online form for you to fill in the details that would be required for you to successfully configure your router. You should be able to get the details from your ISP.

Once that is done, print it out or make a note of the details and scroll down to the bottom, and click New DSL Configuration.

You will be taken to another page, which asks you whether you are assigned a single IP address or a block of static IP addresses.

Click on the relevant link, and it will take you to a sample configuration output.

To access the step-by-step guide, find the link as described above in The Cisco DSL Router router is the PPPoE client section.


TROUBLESHOOTING:

To troubleshoot your existing configuration, go to the relevant splash screen and you will find a link called Troubleshooting my existing DSL connection link under the link titled New DSL Configuration.

Alternatively follow the link New DSL Configuration and when you reach the configuration example output page, scroll down and click on the Troubleshooting ? link where the ? is the name of the configuration example you have chosen.



By: Rhodium_UK and lonebandit See Profile


The person(s) who posted this FAQ is/are not liable for any network problems or any damage caused by configuring their router to the following specification. If in doubt, ask the Cisco forum/TAC for any advice.

by Covenant See Profile edited by aryoba See Profile
last modified: 2012-09-12 09:14:22

Here is a simple PPPoE configuration I had created for a friend using a cisco 806, I believe the ISP was Earthlink, but I don't remember for sure.

!
! Last configuration change at 22:55:44 EST Sun Feb 10 2002
! NVRAM config last updated at 22:55:55 EST Sun Feb 10 2002
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
boot system flash:c806-k9osy6-mz.122-4.YA.bin
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip dhcp excluded-address 10.1.1.1
!
ip dhcp pool LOCALPOOL
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
!
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group office
request-dialin
protocol pppoe
!
!
!
!
interface Ethernet0
description Inside interface facing private network
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1492
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
description Outside interface talking PPPoE
no ip address
ip nat outside
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username password 7
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 10.1.1.0 0.0.0.255 log
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
no cdp run
route-map nonat permit 10
match ip address 102
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 0 0
password 7
login
!
scheduler max-task-time 5000
ntp clock-period 17176001
ntp server
end

Notes

* Setting routes using interface name instead of using Next Hop IP Address

Notice the ip route 0.0.0.0 0.0.0.0 Dialer1 route statement which uses interface name to send packets instead of using Next Hop IP address (i.e. ip route 0.0.0.0 0.0.0.0 1.1.1.1).

Dialer interface isn't a multi-access broadcast medium. They're point-to-point, and thus, you know exactly where to send the packet -- that is, put it on the wire and the single thing on the other end will deal with it. And in almost all dialer cases, PPP replaces that route once the link is up. The interface route is there to trigger the dialer -- in the dark days of dial-up, DSL interfaces trigger the dialer as soon as they sync so the route in unnecessary.

Broadcast medium such as Ethernet obviously is multi-access domain and is not point-to-point. Having interface name as destination to forward packets create Proxy ARP, which is setting up situation where the router is basically blindly asking "hey, who can get a packet to XXX" and trusting the first thing to answer. Back in the 80's and early 90's, that's the way things were done. The Internet was tiny, and many networks weren't connected.

Doing that today is suicide. The insecurity of such a mechanism should be obvious. The practical limitation is one of ARP Cache lookups, as you will now have an arp entry for Each. And. Every. Internet. Address. You might not realize just how many hosts you talk to every day. There have been far too many "my internet is slow" complaints from people who have done this.

* MTU Size regarding PPPoE over ATM/DSL

This FAQ provides a guaranteed working config for anyone using any ADSL PPPoE connectivity types such as Ameritech ADSL for their circuit provider and Megapath.net for ISP. It took 2 calls 2 cisco and weeks of fighting with ISP tech support, but there was a valuable lesson learned about ADSL PPPoE specifically.

The MTU on the dialer interface should be 1492 as PPPoE adds an 8 byte encapsulation header. The key is setting ip tcp adjust-mss 1440 on the inside ethernet interface. You will find many different suggestions and recommendations out there. Some will say 1492 or 1460. Some will even say 1452. 1452 MSS is pretty much the standard for DSL with a PPPoE transport. Normal MSS is 1500 bytes. But you have to account for the 40 byte IP header and the 8 byte PPPoe header. That gets you to 1452.

Following is from the mouth of Cisco, "If you have ADSL running PPPoE and run into problems resolving DNS, adjust your MTU on your ethernet interface using the command ip tcp adjust-mss 1452. This is because PPPoE requires more bits in the header packet than any other type of circuit."

The last bit of optimization is a little more subtle and is a debatable topic. As the PPPoE traffic is carried over ATM cells, it has to be chopped up before it can be transmitted. ATM cells are 53 bytes long and have a 5 byte header. So a total of 48 bytes of payload. If you were to take 1452 bytes of data and split it up across 48 byte payloads. You would come up with 30.25 cells. The .25 is a 12 byte remainder that would have to be sent in a separate ATM cell. ATM cells are always 53 bytes. So the payload would have to be stuffed with an additional 36 bytes of null data for that last chunk. So to be completely optimized you would set the MSS to 1440 to eliminate those wasted 36 bytes.

Adjusting MTU size was news to a lot of people, but the minute we did it all general connectivity problems were fixed. With this in mind, note that MTU size should not be too big in order to avoid general connectivity issue. Similarly MTU size should not be too small in order to avoid ineffective traffic flow. Feel free to experiment to set MTU size to either 1452 or 1440 to see which size brings you the most suitable result.

Discussions

»VPN & Frags

by PA23 See Profile edited by aryoba See Profile
last modified: 2013-03-11 09:29:48

Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For some broadband Internet connections such as cable/DSL and business-grade Internet connections using T1/E1 or faster, the ISPs inform their customers (subscribers) to set their router to specifically set IP address into their router. This means that the subscriber's router is set to use static IP address to connect to the Internet.

When this is your case, then the following sample configuration is a good starting point to help you configure the router. Following is a quite secure sample configuration that is running on a 1605r model. However this sample configuration may be implemented to any routers that has at least dual Ethernet ports.

This sample configuration really works best with a static IP. There are xxx's which is your given IP. There are yyy's, which that's your given subnet. If you have any questions about this, please feel free to contact me at bradley.walter@verizon.net.

Typical network environment that might utilize following sample router configuration is as follows

* There is a modem in front of the router, which the modem connects to the ISP
* ISP is providing Public IP address to the router statically
* There is NAT/PAT in place on the router to translate internal IP addresses to the ISP-provided Public IP address

This sample router configuration assumes the followings

* Internal private IP subnet (for hosts behind the router): 192.168.1.0/24
* All of the hosts' gateway would be the router inside interface IP address: 192.168.1.1
* The IP address range of 192.168.1.2-192.168.1.254 would be available for hosts within your LAN
* When all hosts behind the router go out to the Internet, the hosts would be using the router outside interface IP address (which is the ISP-assigned Public IP address)

SAMPLE CONFIGURATION

foo-gw#show running-config
Building configuration...

Current configuration:
!
version 12.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname Router
!
logging buffered 16000 debugging
logging console critical
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxxxxxxxxx !sets user login to "admin".
ip subnet-zero
no ip source-route
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
no ip finger
no ip bootp server
no ip domain-lookup
ip domain-name foo.com !change these four lines to fit your needs
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
clock timezone GMT 0
!
!
!
interface Ethernet0
description Connection to internet.
ip address xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy !IP and Subnet
ip access-group 115 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ip nat outside
no ip route-cache
no cdp enable
!
interface Ethernet1
description Connection to Lan.
ip address 192.168.1.1 255.255.255.0
ip access-group 116 in
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no ip route-cache
no cdp enable
!
ip nat inside source list 1 interface Ethernet0 overload
!
!the next three lines are a few port maps to show you how to map to external ports to internal servers, here, mail is mapped to mail server, and web is mapped to web server.
!
ip nat inside source static tcp 192.168.1.160 110 24.229.10.4 110 extendable
ip nat inside source static tcp 192.168.1.160 25 24.229.10.4 25 extendable
ip nat inside source static tcp 192.168.1.150 80 24.229.10.4 80 extendable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 115 deny ip xxx.xxx.xxx.0 0.0.0.63 any
access-list 115 deny ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 deny ip 10.0.0.0 0.255.255.255 any
access-list 115 deny ip 0.0.0.0 0.255.255.255 any
access-list 115 deny ip 172.16.0.0 0.15.255.255 any
access-list 115 deny ip 192.168.0.0 0.0.255.255 any
access-list 115 deny ip 192.0.2.0 0.0.0.255 any
access-list 115 deny ip 169.254.0.0 0.0.255.255 any
access-list 115 deny ip 255.0.0.0 0.255.255.255 any
access-list 115 deny ip 224.0.0.0 15.255.255.255 any
access-list 115 deny ip any host 24.229.10.63
access-list 115 deny ip any host 24.229.10.0
access-list 115 deny tcp any any eq 135
access-list 115 deny tcp any any eq 137
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 1023
access-list 115 deny tcp any any range 1025 1029
access-list 115 deny tcp any any range 1433 1434
access-list 115 deny tcp any any eq 2745
access-list 115 deny tcp any any eq 3127
access-list 115 deny tcp any any eq 5554
access-list 115 deny tcp any any eq 6129
access-list 115 deny tcp any any eq 9898
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny udp any any eq 445
access-list 115 deny icmp any any echo
access-list 115 deny icmp any any redirect
access-list 115 deny icmp any any mask-request
access-list 115 permit ip any xxx.xxx.xxx.0 0.0.0.63
access-list 115 permit icmp any xxx.xxx.xxx.0 0.0.0.63
access-list 116 deny ip host 192.168.1.1 host 192.168.1.1
access-list 116 deny ip 10.0.0.0 0.255.255.255 any
access-list 116 deny ip 172.16.0.0 0.15.255.255 any
access-list 116 deny ip 192.0.2.0 0.0.0.255 any
access-list 116 deny ip 169.254.0.0 0.0.255.255 any
access-list 116 deny ip any 10.0.0.0 0.255.255.255
access-list 116 deny ip any 172.16.0.0 0.15.255.255
access-list 116 deny ip any 192.0.2.0 0.0.0.255
access-list 116 deny ip any 169.254.0.0 0.0.255.255
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any parameter-problem
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any packet-too-big
access-list 116 permit icmp 192.168.1.0 0.0.0.255 any source-quench
access-list 116 deny icmp 192.168.1.0 0.0.0.255 any
access-list 116 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
banner motd ^C
|-----------------------------------------------------------------|
| This system is for the use of authorized users only. |
| Individuals using this computer system without authority, or in |
| excess of their authority, are subject to having all of their |
| activities on this system monitored and recorded by system |
| personnel. |
| |
| In the course of monitoring individuals improperly using this |
| system, or in the course of system maintenance, the activities |
| of authorized users may also be monitored. |
| |
| Anyone using this system expressly consents to such monitoring |
| and is advised that if such monitoring reveals possible |
| evidence of criminal activity, system personnel may provide the |
| evidence of such monitoring to law enforcement officials. |
|-----------------------------------------------------------------|
^C
!
line con 0
transport input none
line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxxx
transport input telnet
!
end

Some discussions

»Ok setting up a 2801 NAT problem
»[HELP] Should be simple to config?!
»[HELP] Cisco 2600 Ip Routing no internet on inside network..Help

by sortofageek See Profile edited by aryoba See Profile
last modified: 2013-05-10 10:32:17

Suggested prerequisite reading:
»Cisco Forum FAQ »Things to expect when setup network for home or small business

For some broadband Internet connections such as cable and DSL and business-grade Internet connections using T1/E1 or faster, the ISPs inform their customers (subscribers) to set their firewall to specifically set IP address into their firewall. This means that the subscriber's firewall is set to use static IP address to connect to the Internet.

When this is your case, then the following sample configuration is a good starting point to help you configure the firewall. Typical network environment that might utilize following sample PIX/ASA configuration is as follows

* There is a modem in front of the PIX/ASA, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX/ASA statically
* There is NAT/PAT in place on the PIX/ASA to translate internal IP addresses to the ISP-provided Public IP address
* The PIX/ASA is also acting as DHCP server to local LAN, which provide dynamic IP info for hosts behind the PIX/ASA within the LAN

This sample PIX/ASA configuration assumes the followings

* Internal private IP subnet (for hosts behind the PIX/ASA): 10.0.0.0/24
* All of the hosts' gateway would be the PIX/ASA inside interface IP address: 10.0.0.1
* The IP address range of 10.0.0.30-10.0.0.254 would be available for DHCP pool client
* The IP address range of 10.0.0.2-10.0.0.29 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 68.87.64.196 and 68.87.66.196 automatically as part of the dynamically assigned IP address process
* When all hosts behind the PIX/ASA go out to the Internet, the hosts would be using the PIX/ASA outside interface IP address (which is the ISP-assigned Public IP address)
* Necessary ICMP packet coming from the Internet would be permitted to enter your LAN

SAMPLE CONFIGURATION

Assuming you receive a static IP address from ISP as 1.1.1.2 and the ISP default gateway is 1.1.1.1; here is the sample configuration.

1. PIX

OS Version 6.3(3)

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group icmp-type ICMP-INBOUND
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND permit icmp any any object-group ICMP-INBOUND
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.2 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
 

2. PIX/ASA

OS Version 7.x to 8.2

hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object 0
icmp-object 3
icmp-object 11
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
 

OS Version 8.3 or later

hostname ASA
domain-name xxxxx
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.xxx
!
object-group service ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp 0
icmp 3
icmp 11
!
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
pager lines 24
logging enable
logging console notifications
logging buffered warnings
logging asdm notifications
mtu outside 1500
mtu inside 1500
no asdm history enable
!
object network OBJ_GENERIC_ALL 
 subnet 0.0.0.0 0.0.0.0
 
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
 
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
dhcpd address 10.0.0.30-10.0.0.254 inside
dhcpd dns 68.87.64.196 68.87.66.196 interface inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
prompt hostname context
 

Note:
Should you decide to run Internet-accessible servers behind the PIX/ASA, you can check out the following FAQ for sample configurations.
»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)

by aryoba See Profile
last modified: 2014-02-24 14:31:06

In dedicated Internet connection (i.e. T1/E1 or DS3/E3) and some xDSL plans, you may receive two different subnets from your ISP. One is for the WAN connection between your network and ISP.

In dedicated Internet connection plan using T1/E1 or faster circuit, typically the WAN subnet is in the form of /30 network since the circuit you have is point-to-point type. Note that it is possible to have the WAN subnet in the form of subnet larger than /30, especially when you have the xDSL plan.

Another subnet you receive from ISP is your Public IP Block. This block could be in the form of /29, /28, or /27 network; depending on which plan or subnet you choose to have.

There will be a router that connects to your ISP. This router has two Layer-3 interfaces. One interface should face your ISP and another interface should face your network.

You plan to have a Private network that uses Private IP addresses (i.e. 10.0.0.0/24, 172.16.1.0/24, or 192.168.4.0/24). Therefore there must be NAT/PAT in place within your network between the Private IP addresses and the Public IP Block assigned by your ISP.

Your objective is to find the suitable network setup using these IP blocks you receive from your ISP. You have several scenarios to choose to setup such network.

For the discussion sake, let's say you have the following subnets from your ISP

WAN IP Subnet: 1.1.1.0/30, where you have 1.1.1.2/30 for your WAN IP address and 1.1.1.1/30 as the ISP gateway
Public IP Block: 2.2.2.0/24

and you plan to use 192.168.0.0/24 as your Private subnet. Following are the scenarios.

Scenario 1: The router does NAT/PAT

In this scenario, there is a switch behind the router to connect to the Private LAN. The router inside (E0/0) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.

You set the router to assign 2.2.2.1 as the Public PAT IP address to all Private LAN hosts. You may later assign other IP addresses within your Public IP Block to other devices such as servers and VPN Concentrator.

Router configuration
interface Ethernet0/0
description Private LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1
description WAN connection to ISP
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat pool NAT-pool 2.2.2.1 2.2.2.1 prefix-length 24
ip nat inside source list 10 pool NAT-pool overload
!
access-list 10 remark Permitted Private LAN to go out to the Internet
access-list 10 permit 192.168.0.0 0.0.0.255
 

Following is sample configuration when there are multiple LAN interfaces on the router. Note that there are no NAT process take place between Ethernet0/0 and Ethernet0/1 interfaces since NAT process takes place only when the traffic traverse interfaces with ip nat inside command on one interface and ip nat outside command on other interface.

Router configuration
interface Ethernet0/0
description Private LAN 1 (DMZ)
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface Ethernet0/1
description Private LAN 2 (Inside)
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0/0
description WAN connection to ISP (Outside)
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat pool NAT-pool 2.2.2.1 2.2.2.1 prefix-length 24
ip nat inside source list 10 pool NAT-pool overload
!
access-list 10 remark Permitted Private LAN to go out to the Internet
access-list 10 permit 192.168.0.0 0.0.1.255
 

Another sample configuration with multiple router interfaces where one interface is as Outside (lowest security level or untrusted network), one interface is as DMZ (medium security level), and one interface is as Inside (highest security level or trusted network). The Outside interface (which is the WAN or Serial interface) has the 1.1.1.0/30 WAN subnet. The DMZ interface has part of the LAN subnet where the 2.2.2.1 is the default gateway of all DMZ machines. The Inside has other part of the LAN subnet as NAT-ed IP address.

Further, the router runs dynamic routing protocol (in this case, BGP) with ISP to advertise the 1.1.1.0/30 WAN and 2.2.2.0/24 LAN subnets. Note that the BGP configuration part assumes certain thing for illustration purposes only such as BGP AS numbers. Should you need to run BGP with your ISP, make sure you implement correct info as your ISP provided.

Router Configuration
interface Ethernet0/0
description Private LAN 1 (DMZ)
ip address 2.2.2.1 255.255.255.128
!
interface Ethernet0/1
description Private LAN 2 (Inside)
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface Serial0/0
description WAN connection to ISP (Outside)
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
router bgp 4127
no synchronization
neighbor 1.1.1.1 remote-as 239
neighbor 1.1.1.1 description ISP BGP Peers
neighbor 1.1.1.1 soft-reconfiguration inbound
network 1.1.1.0 mask 255.255.255.252
network 2.2.2.0 mask 255.255.255.0
no auto-summary
!
ip nat pool NAT-pool 2.2.2.254 2.2.2.254 prefix-length 29
ip nat inside source list 10 pool NAT-pool overload
ip route 2.2.2.0 255.255.255.0 Null0
!
access-list 10 remark Permitted Private LAN to go out to the Internet
access-list 10 permit 192.168.0.0 0.0.1.255
 

Typically you implement this scenario when there is no dedicated firewall to do NAT/PAT. When you do have dedicated firewall, then you may want to implement one of the next scenarios.

Scenario 2: There is a firewall behind the router that does NAT/PAT

In this scenario, you have a PIX Firewall as the dedicated firewall gear that sits behind the router. You have a crossover cable connecting the router E0/0 and the PIX e0 interfaces to make a point-to-point connection. This point-to-point connection has 192.168.1.0/30 subnet

There is a switch behind the PIX to connect to the Private LAN. The PIX inside (e1) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.

You set the PIX to assign 2.2.2.1 as the Public PAT IP address to all Private LAN hosts. You may later assign other IP addresses within your Public IP Block to other devices such as servers and VPN Concentrator.

Router configuration
interface Ethernet0/0
description Private LAN
ip address 192.168.1.1 255.255.255.252
!
interface Ethernet0/1
description WAN connection to ISP
ip address 1.1.1.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 2.2.2.0 255.255.255.0 192.168.1.2
!
 

If you need to run BGP with the ISP, here is the sample configuration.

Router Configuration
interface Ethernet0/1
description Private LAN 2 (Inside)
ip address 192.168.1.1 255.255.255.252
ip nat inside
!
interface Serial0/0
description WAN connection to ISP (Outside)
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
router bgp 4127
no synchronization
neighbor 1.1.1.1 remote-as 239
neighbor 1.1.1.1 description ISP BGP Peers
neighbor 1.1.1.1 soft-reconfiguration inbound
network 1.1.1.0 mask 255.255.255.252
network 2.2.2.0 mask 255.255.255.0
no auto-summary
!
ip route 2.2.2.0 255.255.255.0 192.168.1.2
!
 

PIX Firewall configuration
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
logging on
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 2.2.2.1
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
isakmp enable outside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
 

Typically you implement this scenario when there are no other physical devices directly behind the router but the firewall.

More Sample Configuration regarding dedicated firewall behind an Internet router
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN

Scenario 3: There is a firewall behind the router that does NAT/PAT and does IPSec VPN tunnel

In this scenario, you have a PIX Firewall as the dedicated firewall gear that sits behind the router. You have a crossover cable connecting the router E0/0 and the PIX e0 interfaces to make a point-to-point connection.

There is a switch behind the PIX to connect to the Private LAN. The PIX inside (e1) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.

You set the PIX to assign 2.2.2.3 as the Public PAT IP address to all Private LAN hosts. You set the PIX outside interface as 2.2.2.2 which will be the VPN Concentrator IP address. You can later assign other IP addresses within your Public IP Block to other devices such as servers. Check out the following FAQ for more info on running servers with ASA or PIX Firewall.

»Cisco Forum FAQ »PIX Firewall/ASA configuration to run server (with and without port forwarding)

Router configuration
interface Ethernet0/0
description Private LAN
ip address 2.2.2.1 255.255.255.0
!
interface Ethernet0/1
description WAN connection to ISP
ip address 1.1.1.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
 

If you need to run BGP with the ISP, here is the sample configuration.

Router Configuration
interface Ethernet0/1
description LAN (Inside)
ip address 2.2.2.1 255.255.255.0
!
interface Serial0/0
description WAN connection to ISP (Outside)
ip address 1.1.1.2 255.255.255.252
!
router bgp 4127
no synchronization
neighbor 1.1.1.1 remote-as 239
neighbor 1.1.1.1 description ISP BGP Peers
neighbor 1.1.1.1 soft-reconfiguration inbound
network 1.1.1.0 mask 255.255.255.252
network 2.2.2.0 mask 255.255.255.0
no auto-summary
!
 

PIX Firewall configuration
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 90 permit ip any 192.168.1.0 255.255.255.0
access-list nonat permit ip any 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool bigpool 192.168.1.1-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn3000-all address-pool bigpool
vpngroup vpn3000-all dns-server 192.168.0.2
vpngroup vpn3000-all wins-server 192.168.0.3
vpngroup vpn3000-all default-domain yournetwork.com
vpngroup vpn3000-all split-tunnel 90
vpngroup vpn3000-all idle-time 1800
vpngroup vpn3000-all password ********
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local bigpool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username cisco password *********
vpdn enable outside
terminal width 80
 

This is an alternate scenario when there is a possibility to connect other devices behind the router other than the firewall. In addition, this might be the preferred scenario when the firewall acts also as VPN Concentrator. Check out the following FAQ for more info in setting up ASA or PIX Firewall as both Internet firewall and VPN Concentrator.

»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

Feedback received on this FAQ entry:
  • I have discovered that the PIX 501 firewall running version 6.3 refuses to accept the "ip address ... pppoe" command if the outside interface has been named anything other than "outside". Mine is named "ext". In order to execute this command, I needed to rename it to "outside" (with the "nameif" command), issue the "ip address outside pppoe" command, and then name the interface back to "ext". Then everything worked (as long as I did not use the "setroute" option).

    2008-12-22 23:18:08



by aryoba See Profile
last modified: 2012-12-24 09:35:14

A VDSL modem presents as an Ethernet interface in addition to an ATM interface. In a event where your ISP uses PPP to establish communication with you, a PPPoE and not PPPoA is then used. Further, PPPoE needs to be configured within the correct VLAN to work.

»[Config] Cisco 1921 and HWIC-1VDSL

by aryoba See Profile
last modified: 2014-03-13 12:06:08