Configure PPPoE dialing on Firewall ASA
1. Model
2. Requirements:
– Configure PPPoE to connect to ISP. Use static IP 123.30.40.58 to assign the Interface to connect directly to the ISP
– Configure basic network parameters (IP, Network Object, Access-List, Access-Group)
– Configure NAT (inside, outside) for internal access to the outside.
– Configure NAT(dmz,outside) for public website, when outside http access to address 123.30.40.59 will be able to access website server 192.168.2.20 located in DMZ.
3. Configure PPPoE ASA 5525
– Configure parameters: username, password, authentication….
ciscoasa(config)#vpdn group FTP-DIALER-GROUP request dialout pppoe
ciscoasa(config)#vpdn group FTP-DIALER-GROUP localname sgfdl-111111-222
ciscoasa(config)#vpdn group FTP-DIALER-GROUP ppp authentication chapter
ciscoasa(config)#vpdn username sgfdl-111111-222 password d111111222 store-local
– Assign the newly created parameters to the Interface connecting to the ISP
ciscoasa(config)#interface GigabitEthernet0
ciscoasa(config-if)#pppoe client vpdn group FTP-DIALER-GROUP
– Enable PPPoE on the interface connected to the ISP
+ Configure interface to receive dynamic IP from ISP
ciscoasa(config#interface GigabitEthernet0
ciscoasa(config-if)#ip address pppoe setroute
+ Configure static IP for interface
Suppose you have an IP address range from 123.30.40.58 to 123.30.40.62, the IP address 123.30.40.57 is used by the ISP to assign to the Interface that connects directly to your outside network.
- Address 123.30.40.58 assigned to Interface g0 on ASA
- Address 123.30.40.59 is used as the public IP for the web server. When outside http access to address 123.30.40.59, the ASA will redirect to web server 192.168.2.20 located in the DMZ area.
ciscoasa(config)#interface GigabitEthernet0
ciscoasa(config-if)#ip address 123.30.40.58 255.255.255.248 pppoe setroute
The setroute parameter will automatically set the default route for you
Review the routing information as follows:
ciscoasa# show route
C 192.168.1.0 255.255.255.0 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, dmz
S* 0.0.0.0 0.0.0.0 (1/0) via 123.30.40.57, outside
4. Configure IP, Network Object, Access-List, Access-Group, NAT.
– Configure ip, nameif, security-level for interfaces connecting on the ASA.
interface GigabitEthernet0
nameif outside
security-level 0
ip address 123.30.40.58 255.255.255.255 pppoe setroute
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
nameif dmz
security-level 70
ip address 192.168.2.1 255.255.255.0
!
-Configuring Object Networks:
object network WWW-SERVER
host 192.168.2.20
object network WWW-SERVER-external-ip
host 123.30.40.59
object network INSIDE-SUBNET
subnet 192.168.1.0 255.255.255.0
object network DMZ-SUBNET
subnet 192.168.2.0 255.255.255.0
– Configure ACL, assign ACL to interface
ciscoasa# show running-config access-list
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit tcp any object WWW-SERVER eq www
access-list Outside_access_in extended permit tcp any object WWW-SERVER eq telnet
+ Assign ACL to interface
access-group Outside_access_in in interface outside
– Configure NAT
object network INSIDE-SUBNET
nat (inside,outside) dynamic interface
object network WWW-SERVER
nat (dmz,outside) static WWW-SERVER-external-ip
Xem tiếp...
