I am using ASA 5505 with firmware 8.2(2). My ISP uses PPPoE as a WAN connection protocol. There is a problem with getting PPPoE session started on my ASA 5505. The debug output says that after negotiation of PPP-authentication protocol ASA receives a PADT packet from ISP’s concentrator. To get more information I captured all packets on outside interface with WireShark. Packet-dumps (in .pcap format) are attached in this post. I have tried all possible combinations of PAP/CHAP/MSCHAP values in “vpdn group MYGROUP ppp authentication” command. If you take a look at the packet-dumps you can see, that in case of “PAP” – ISP’s concentrator rejects negotiation (PAP is not supported by my ISP). In case of CHAP/MSCHAP (that ARE supported by my ISP) – ASA acknowledges the using of MSCHAP v.2 PPP-auth protocol, which is actually not supported by it…
Judging by MAC-addresses of ISP’s concentrators it is visible that Cisco’s equipment also is used.
The questions is: Why ASA acknowledges using of unsupported ppp-auth protocol during negotiation and what I need to do to resolve this issue? (ISP’s support says, that they cannot change PPP-auth protocol negotiation order. Also they says that I need to contact with manufacturer of my equipment).
I am tyring to remotely diagnose a troublesome ASA5505
It is connecting via PPPOE and the original suscpicion was that the PPPOE was going down during heavy loads during the day, i.e 9am and lunchtime. I suspected MTU and have verified the MTU outside is set to 1492
However further troubleshooting doing a remote ping to the PPPOE address indicates that this does not drop at all.
When remoteley connected to the ASA my session dies and any outbound internet fails, then in a few minutes it comes back.
all the time the PPPOE line stays up?
One thought is that although the line does not go down it is being crippled with traffic and just getting so unresponsive it appears it has died.
We currently use a linux software based firewall called IPCop that sits between our network and router (This is in bridged mode) IPCop conects over PPPoE and everything works fine.
However the system is not reliable and I fear not that secure so have purchased an ASA5505 now I have added the PPPoE info to the device using the ADSM software however although it picks up my external static IP I'm unable to access the internet. On IPCop I only had to enter the broadband credentials and it worked however I feel like I may have to add more to the Cisco, for example do I have to specify DNS servers and do I have to set a static route?
Here is my config file so far (Note I think I have turned on the ability to ping from internal to external). My config I have done through the ADSM as opposed to the CLI
I've been having this issue for about 3 months now, off and on, never seemed to be predictable but started happening more and more, which prompted me to look into it.
Currently, the DSL Modem is configured in bridge mode with the ASA handling PPPoE. The WAN address is being assigned via DHCP. The ASA is running 8.2(1). The WAN interface will drop it's DHCP lease and will not renew it without power cycling the DSL modem. I did a little bit of googling and found mention of setting "dhcp-client client-id interface outside", specifically this was an issue pre 7.2(22), but doesn't seem to affect my situation. Originally, I had the MTU on the outside interface configured as 1500, changing it to 1492 has not resolved my issue either.
I've enabled PPPoE and DHCPC debugging and posted the results below when the event occurs, I'm thinking this is moreso a PPPoE issue than it is a DHCP/DHCP Lease issue as I am not seeing any debug messages from DHCPC.
configure my ASA 5505. It is setup using PPPoE. What I want to do is this:
I have one of my IP addresses (99.23.119.78) setup for ftp using the ftp protocol to our internal IP address 192.168.1.3. What I need is to also allow for HTTP access but not just that, I need it to forward the http port to port 9000 because the web interface requires port 9000 for customer access. Previously on our old firewall customers were able to access the web interface by browsing to [URL]. I would like to not have to not require the port in the URL.
In addition, I would like to be able to setup a different IP address in our range (99.23.119.73) to be setup for http access using the standard port 80 for the same internal IP address (192.168.1.3). This URL will allow us to access the administration web interface for the FTP server.
Here is my current config:
Result of the command: "show running-config" : Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU
I'm using the ASDM, if I configure VLAN2 with the IP address of the VDSL interface I can ping the modem from the console session via Putty. If I take that off and configure up the PPPOE client I can't ping the VDSL modem, I'd expect that. If I then add in an IP address to the PPPOE client config like I assigned to VLAN2 it doesn't ping either.If I can't ping the VDSL modem I don't expect it would work but it seems I can only either give it a static address which pings but has no pppoe or give it a PPPOE config which means I can't ping the VDSL. why I can't ping the VDSL modem when the interface is set as PPPOE with an IP address?Presumably if I'm on the ASA console doing pings from there to the modem then I'm ruling out problems with the routing from the laptop (trying to isolate where the issue is)
I've an ASA 5505 connecting to a vdsl modem. The ASA is doing the PPPoE encapsulation. I've noticed the traffic amount on the outside interface is always twice the bandwidth it receives on its inside interface. I can't believe the PPP encapsulation is taking that much. Only two interfaces (inside and outside)
This might actually go into Networking Basics because of the nature of the problem, but I tossed it in here because of the Cisco product involved. Long story short, I need to do some detective work to figure an apporpriate IP address for a NIC.I recently started working at a company with the ASA 5505 and I need to upgrade the software image on a bunch of them. There's already a computer set up with a TFTP server and Hyper-Terminal to do it. I'm trying to use the CLI update procedur[URL] but when I get to the beginning of the actual transfer from the TFTP, I get stuck at "Accessing" and then the connection times out with the message "Unknown Error".The only thing I can think of is that somehow the ASA is not making it all the way to the TFTP server, probably because the IP address settings on the NIC for the computer is set wrong. I say this because in the config file provided me, the ASA is given an address X.Y.Z.1, subnet mask /24 (where all the letters are constants) and the TFTP server has an addess in its software config of X.Y.Z.10 mask /24, but the NIC on the computer is set to A.B.C.105, which is an entirely different network.I need to figure out what I can make the NIC IP address so I stop getting the error. I tried a couple of different X.Y.Z.x addresses, but haven't gotten anything yet.
I have configure L2TP vpn using ASDM and now i am not able to connect my Cisco ASA 5505. it's showing error message 3Jul 07 201118:57:38IP = *.*.*.*, Error processing payload: Payload ID: 1
I am unable to connect to the vpn I set up on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 are below.
LOG CISCO VPN CLIENT Cisco Systems VPN Client Version 5.0.06.0160 Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
I get the following error when trying to connect a vpn client through an ASA5505 with an already configured ipsec AES/256 site to site connection:
regular translation creation failed for protocol 50 src:inside:192.168.1.167 dst:outside:xx.xxx.x.64
The site to site addressing is not relevant, I'm not trying to pass traffic over the site-to-site, but rather create a new vpn from inside client to outside external vpn box that's not under my control. The client is able to create a connection, but no traffic is passed, when I try to ping / rdp, the above message is returned to me. If I add the rule static(inside, outside) interface 192.168.1.167 netmask 255.255.255.255 then it works, everything works, but ONLY from this computer.
Been Google for hours, but with no result as of yet.
I am get stuck on this issue, i have asa 5505 which was working more than 4 months, after power recycle the firewall is not booting now, it gives the below error. i have tried to upload the new image however the story is same.
Just installed an ASA 5505 with AnyConnect Essentials. AnyConnect installation works fine on some windows boxes (All flavors) but have a couple machines with issues. This makes it clearly a computer side issue. When I try to log into the ASA to download the client with IE 9 the ASA just keeps asking for my logon credentials. If I I use Firefox my credentials work and I get as far as the "Using Sun java for installation" with instructions to click yes on the java security warning. The Java Security warning never arrives like on machines that don't have this problem. Firefox just hangs and has to be killed by task maanger. Remove and reinstall of both Java and Firefox fail to correct the problem. Any AnyConnect clientside recovery tips beyond Java and Browser reinstall?
A Google search show a few folks using Ubuntu and old PPC Macs seeing the same java error I get on these couple of windows boxen. [code]
I use a CISCO ASA 5505 with ASA 8.3. Everything works fine, but when I type the following line I get an error message:
nat (inside,outside) source dynamic OBJ_SPECIFIC_192-168-1-0 10.1.5.5ERROR: 10.1.5.5 doesn't match an existing object or object-groupI even tried to create the missing object but it did not work. The document also explains how to use ASDM for this configuration. It seems that there an object 10.1.5.5. is created.
Whenever I use the following command I get an invalid input error
ciscoasa#conf t ciscoasa (config) # crypto isakmp enable outside ciscoasa (config) #object network net-local ciscoasa (config-network) # subnet 192.168.101.0 255.255.255.0 ^ I have reset the firewall (cisco 5505) to factory default. The marker ^ is under the subnet
I Have a Firewall ASA 5505 with asa 8.4(2) asdm 6.4(5) I have only one Public IP services and need to publish on the Internet
External User (Internet) -> Calls connection on port 22 Internal server 192.168.1.124 External User (Internet) -> Calls connection on port 80 of the Internal 192.168.1.124 server or other server the same inside.
In the first moment I'm just testing the access port 22.I had it working in version 8.2 but after I updated to 8.4 does not work, I've tested several different configurations.
I'm trying to set up a 5505 (running 8.3) so that i can use the client vpn through RADIUS authentication.I have set up a new local RAIDUS windows box and used the ASDM asistant and a few other guides to setup the 5505.
it's probably just me but I have tried real hard to get a simple AnyConnect setup working in a lab environment on my ASA 5505 at home, without luck. When I connect with the AnyConnect client I get the error message "User not authorized for AnyConnect Client access, contact your administrator". I have searched for this error and tried some of the few solutions out there, but to no avail. I also updated the ASA from 8.4.4(1) to 9.1(1) and ASDM from 6.4(9) to 7.1(1) but still the same problem.
The setup of the ASA is straight forward, directly connected to the Internet with a 10.0.1.0 / 24 subnet on the inside and an address pool of 10.0.2.0 / 24 to assign to the VPN clients. Please note that due to ISP restrictions, I'm using port 44455 instead of 443. I had AnyConnect working with the SSL portal, but IKEv2 IPsec is giving me a headache. I have stripped down certificate authentication which I had running before just to eliminate this as a potential cause of the issue. When running debugging, I do not get any error messages - the handshake completes successfully and the local authentication works fine as well.
I recently had some trouble with my ASA 5505 in that the running config would not be saved after a reboot. Definitely looked like a hardware problem with the flash memory. I have since bought a new flash memory card and copied the contents of the old card to the new card. 1st problem I have is that I can see the image on the new card, but for some reason it wont boot into that image. I get /file not found
I then successfully load a new image to the device and it boots successfully. I then follow it with a
Cisco asa# config t Cisco(config)# boot system disk0:/asa831-k8.bin
(to ensure it boots from the flash in the future) and I get
WARNING: BOOT variable added, but unable to find disk0:/asa831-k8.bin
I have since tried ciscoasa# fsck disk0: Unsupported file system type!
%Error checking disk0: (No such file or directory)
When ever I try to do anything with Disk0: i get the same error. (No such file or directory). I have also tried putting the old flash card in the ASA and I now get the same response.
[OK] webvpn webvpn [ERROR] anyconnect image disk0:/anyconnect-win-3.0.08057-k9.pkg 2 copying 'disk0:/anyconnect-win-3.0.08057-k9.pkg' to a temporary ramfs file failed
Trying to add the windows anyconnect to the list of usable software for clients and that error happened. What is going wrong? I assume I dont have enough RAM...
I have connected an ASA 5505 to an ADSL router that is able to assign the IP address and the also the DNS servers for the ISP for the outside interface. The ASA is loaded up with IOS "asa842-k8.bin"
I am using vpnclient with a hostname as oppose to an IP address to connect to a headend remote server. If I hardcode the DNS servers IPs in the "dns server-group DefaultDNS" I am able to resolve the hostname. If I then remove the IPs from the group and rely on the dhcp to assign them, when I try to resolve the name I have an error at the console "ERROR: % Invalid Hostname"
The router 1841 is connected directly to the layer switch. the network diagram is below:
Office A --> Switch (L3) --> Router 1841 --> Internet --> Office B
However, when I transfer the file from Office A to office B, the speed very slow ( only around 40 kb/second), and there are an input error and CRC error:
Cisco-R1841#sh interfaces FA0/1 FastEthernet0/1 is up, line protocol is up Hardware is Gt96k FE, address is 0019.e02f.03dd (bia 0019.e02f.03dd)
I'm trying to open certain websites but the browser gives me this message: "Network Error (tcp_error) A communication error occurred: "Operation timed out" The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
i'm currently studying at a college which has a website with a student intranet that is available to log in from any computer. So far it has been working well and I can log in on my home laptop and upload documents and look at presentations etc. Today for no reason when I try and log in I get the message Error Code 500: Internal Server Error and the webpage does no appear.I have had no problems previously and this has only happened today and yesterday, I went down to the college and accessed the website fine from the computers in the library but still no joy from my home computer.
I have a Cisco 877 doing PPPoE through a ISP supplied modem that is in bridge mode (long story). When the DSL drops on the modem it takes around 5 to 10 mins for the 877 to redial the connection.
Here is the config I'm running:
interface Vlan1 description PPPoE-Interface(WAN) ip address dhcp load-interval 30 pppoe enable group global pppoe-client dial-pool-number 1
[code]....
Its possible some of that config is redundant but I've tried as much as I can see online.
Cisco 877W. I configured it for PPPoE. But once I plug in the ADSL line, the dialer interface will get IP Address. But after like 2 minutes the PPP link will go off and I will get this log message: "Interface Vi1 unbound from profile Di1".
Is it possible to set up a pppoe client on a VLAN interface, or a switch interface associated to an VLAN?. For example, in a 881 ethernet router, could I configure a pppoe client on any of the lan interfaces in addition to the pppoe client configured on the WAN interface?.
Trying to find a way to configure my 851 for home use. My internet provider use PPPoE with PAP and althrough I found many configuration options they all are incomplete...or i cant find the logic behind those commands. First of all I need to say what I need:
1. Configurate my int Fa4 (WAN) with pppoe so when i insert my ISP cable in it it will negotiate and take IP.
2. Configurate DHCP on LAN (Fa0-3) so that when I insert my PC it will take a fake IP.
Here is the place where i found some conf examples: [URL] and I have some questions:
1. MTU - Should I use the 1492 value or the "pppoe-client ppp-max-payload 1500"?
2. ip route 10.10.25.2 255.255.255.255 dialer 0 - How can i set an IP route when my connexion informations only come after i connect? (Because is PPPoE)?
3. I cant configurate the DHCP because I dont know the default route, I dont know the DNS, and i dont know the default gateway because I dont know them due to PPPoE !
I have cisco router model 1921 , how can i terminate my existing pppoe connection to 1921, so that my other LAN users can use internet.
1- One cable (RJ45) which is comming from ONT has connected with Integrated WAN Port on router.
2- One cable (RJ45) which going to my LAN switch has connected with Integrated LAN Port on router.
Now i need to configure my router, so that i can give internet access to my LAN users. I red cisco's guides but not clear regarding configurations, because in guides they use modules to configure pppoe. But i am not using any module, i am simply connecting one cable for WAN and one for LAN.
