Cisco ASA: How to route PPPoE-assigned subnet?
- by Martijn Heemels
We've just received a fiber uplink, and I'm trying to configure our Cisco ASA 5505 to properly use it.
The provider requires us to connect via PPPoE, and I managed to configure the ASA as a PPPoE client and establish a connection. The ASA is assigned an IP address by PPPoE, and I can ping out from the ASA to the internet, but I should have access to an entire /28 subnet. I can't figure out how to get that subnet configured on the ASA, so that I can route or NAT the available public addresses to various internal hosts.
My assigned range is: 188.xx.xx.176/28
The address I get via PPPoE is 188.xx.xx.177/32, which according to our provider is our Default Gateway address. They claim the subnet is correctly routed to us on their side.
How does the ASA know which range it is responsible for on the Fiber interface?
How do I use the addresses from my range?
To clarify my config; The ASA is currently configured to default-route to our ADSL uplink on port Ethernet0/0 (interface vlan2, nicknamed Outside). The fiber is connected to port Ethernet0/2 (interface vlan50, nicknamed Fiber) so I can configure and test it before making it the default route. Once I'm clear on how to set it all up, I'll fully replace the Outside interface with Fiber.
My config (rather long):
: Saved
:
ASA Version 8.3(2)4
!
hostname gw
domain-name example.com
enable password ****** encrypted
passwd ****** encrypted
names
name 10.10.1.0 Inside-dhcp-network description Desktops and clients that receive their IP via DHCP
name 10.10.0.208 svn.example.com description Subversion server
name 10.10.0.205 marvin.example.com description LAMP development server
name 10.10.0.206 dns.example.com description DNS, DHCP, NTP
!
interface Vlan2
description Old ADSL WAN connection
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.252
!
interface Vlan10
description LAN vlan 10 Regular LAN traffic
nameif inside
security-level 100
ip address 10.10.0.254 255.255.0.0
!
interface Vlan11
description LAN vlan 11 Lab/test traffic
nameif lab
security-level 90
ip address 10.11.0.254 255.255.0.0
!
interface Vlan20
description LAN vlan 20 ISCSI traffic
nameif iscsi
security-level 100
ip address 10.20.0.254 255.255.0.0
!
interface Vlan30
description LAN vlan 30 DMZ traffic
nameif dmz
security-level 50
ip address 10.30.0.254 255.255.0.0
!
interface Vlan40
description LAN vlan 40 Guests access to the internet
nameif guests
security-level 50
ip address 10.40.0.254 255.255.0.0
!
interface Vlan50
description New WAN Corporate Internet over fiber
nameif fiber
security-level 0
pppoe client vpdn group KPN
ip address pppoe
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
switchport trunk allowed vlan 10,11,30,40
switchport trunk native vlan 10
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 50
speed 100
duplex full
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
switchport access vlan 20
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa832-4-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server dns.example.com
domain-name example.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-net
subnet 10.10.0.0 255.255.0.0
object network svn.example.com
host 10.10.0.208
object network marvin.example.com
host 10.10.0.205
object network lab-net
subnet 10.11.0.0 255.255.0.0
object network dmz-net
subnet 10.30.0.0 255.255.0.0
object network guests-net
subnet 10.40.0.0 255.255.0.0
object network dhcp-subnet
subnet 10.10.1.0 255.255.255.0
description DHCP assigned addresses on Vlan 10
object network Inside-vpnpool
description Pool of assignable addresses for VPN clients
object network vpn-subnet
subnet 10.10.3.0 255.255.255.0
description Address pool assignable to VPN clients
object network dns.example.com
host 10.10.0.206
description DNS, DHCP, NTP
object-group service iscsi tcp
description iscsi storage traffic
port-object eq 3260
access-list outside_access_in remark Allow access from outside to HTTP on svn.
access-list outside_access_in extended permit tcp any object svn.example.com eq www
access-list Insiders!_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list iscsi_access_in remark Prevent disruption of iscsi traffic from outside the iscsi vlan.
access-list iscsi_access_in extended deny tcp any interface iscsi object-group iscsi log warnings
!
snmp-map DenyV1
deny version 1
!
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging monitor warnings
logging buffered warnings
logging history critical
logging asdm errors
logging flash-bufferwrap
logging flash-minimum-free 4000
logging flash-maximum-allocation 2000
mtu outside 1500
mtu inside 1500
mtu lab 1500
mtu iscsi 9000
mtu dmz 1500
mtu guests 1500
mtu fiber 1492
ip local pool DHCP_VPN 10.10.3.1-10.10.3.20 mask 255.255.0.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 10 burst-size 5
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static vpn-subnet vpn-subnet
!
object network inside-net
nat (inside,outside) dynamic interface
object network svn.example.com
nat (inside,outside) static interface service tcp www www
object network lab-net
nat (lab,outside) dynamic interface
object network dmz-net
nat (dmz,outside) dynamic interface
object network guests-net
nat (guests,outside) dynamic interface
access-group outside_access_in in interface outside
access-group iscsi_access_in in interface iscsi
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SBS2003 protocol radius
aaa-server SBS2003 (inside) host 10.10.0.204
timeout 5
key *****
aaa authentication enable console SBS2003 LOCAL
aaa authentication ssh console SBS2003 LOCAL
aaa authentication telnet console SBS2003 LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.0.207 community ***** version 2c
snmp-server location Server room
snmp-server contact beheer@example.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group5
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-256_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 30
management-access inside
vpdn group KPN request dialout pppoe
vpdn group KPN localname INSIDERS
vpdn group KPN ppp authentication pap
vpdn username INSIDERS password ***** store-local
dhcpd address 10.40.1.0-10.40.1.100 guests
dhcpd dns 8.8.8.8 8.8.4.4 interface guests
dhcpd update dns interface guests
dhcpd enable guests
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server dns.example.com source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy Insiders! internal
group-policy Insiders! attributes
wins-server value 10.10.0.205
dns-server value 10.10.0.206
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Insiders!_splitTunnelAcl
default-domain value example.com
username martijn password ****** encrypted privilege 15
username marcel password ****** encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group Insiders! type remote-access
tunnel-group Insiders! general-attributes
address-pool DHCP_VPN
authentication-server-group SBS2003 LOCAL
default-group-policy Insiders!
tunnel-group Insiders! ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect mgcp
inspect netbios
inspect pptp
inspect rtsp
inspect snmp DenyV1
!
service-policy global-policy global
smtp-server 123.123.123.123
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:a76bbcf8b19019771c6d3eeecb95c1ca
: end
asdm image disk0:/asdm-635.bin
asdm location svn.example.com 255.255.255.255 inside
asdm location marvin.example.com 255.255.255.255 inside
asdm location dns.example.com 255.255.255.255 inside
asdm history enable
