Home > Articles > Cisco Network Technology > General Networking > Cisco Firewall Configuration Fundamentals

Cisco Firewall Configuration Fundamentals

Chapter Description

This chapter describes the configuration fundamentals for IOS and ASA-based firewalls, highlighting the similarities between the product families.

From the Book

Cisco Firewalls

Cisco Firewalls


Obtaining an IP Address Through the PPPoE Client

All the IP addresses involved on the baseline configurations considered so far have been assigned statically. This section presents the PPP over Ethernet (PPPoE) dynamic method for obtaining an IP address, which is particularly useful on xDSL broadband access environments.

Figure 3-9 portrays one of the typical DSL environments that employ PPPoE to build sessions between client devices and the Broadband Aggregator. The client can be located on the user PC (such as that one behind CPE1) or embedded in the CPE (as exemplified for CPE2).

Figure 3-9

Figure 3-9 Example of DSL Environment That Employs PPPoE

Figure 3-10 shows a simplified environment in which the router called Server plays the role of the aggregation device. The focus of the scenario is on the PPP negotiation (which includes IP address assignment). Example 3-29 relates to this topology and contains the relevant commands for both the server and client sides. The server (emulating the aggregator) is an IOS router, and there are two clients: a PIX and another router.

Figure 3-10

Figure 3-10 Reference Topology for PPPoE Analysis

Example 3-29. Baseline PPPoE Configuration

! IOS acting as PPPoE Server (on network
username PIX1 password *****
username IOS-FW password *****
ip local pool PPPoE1
interface Virtual-Template1
 ip unnumbered FastEthernet3/0.1230
 peer default ip address pool PPPoE1
 ppp authentication chap
bba-group pppoe PPPoE1
virtual-template 1
interface FastEthernet3/0.1230
 encapsulation dot1Q 1230
 ip address
 pppoe enable group PPPoE1
! PIX/ASA acting as a PPPoE Client (on interface called out1)

vpdn group PPPoE1 request dialout pppoe
vpdn group PPPoE1 localname PIX1
vpdn group PPPoE1 ppp authentication chap
vpdn username PIX1 password cisco
interface Ethernet0.1230
 vlan 1230
 nameif out1
 security-level 0
 pppoe client vpdn group PPPoE1
 ip address pppoe setroute
! IOS acting as PPPoE client
vpdn enable
vpdn-group PPPoE1
  protocol pppoe
 local name IOS-FW
interface Dialer2
 ip address negotiated
 encapsulation ppp
 dialer pool 2
 dialer-group 1
 no cdp enable
 ppp authentication chap
 ppp chap password cisco
ip route Dialer2
interface f4.1230
 no ip address
 pppoe-client dial-pool-number 2
 pppoe enable

Example 3-30 documents the relevant information concerning PPPoE negotiation on the server side, when the aggregator establishes a session with PIX1 (refer to Figure 3-10). The example also shows PIX1's perspective, characterizing session creation and IP address assignment. You need to observe that the pppoe setroute option for the ip address command (refer to Example 3-29) results in PIX1 pointing a default route to the aggregator router (, which is reachable through interface out1.

Example 3-30. Sample PPP Session Negotiation (Server Side)

ppp1 PPP: Phase is ESTABLISHING, Passive Open
[output suppressed]
ppp1 LCP:    MRU 1492 (0x010405D4)
ppp1 LCP:    AuthProto CHAP (0x0305C22305)
ppp1 LCP:    MagicNumber 0xE80FF183 (0x0506E80FF183)
ppp1 LCP: State is Open
ppp1 PPP: Phase is AUTHENTICATING, by this end
ppp1 CHAP: O CHALLENGE id 1 len 27 from "SERVER"
ppp1 CHAP: I RESPONSE id 1 len 25 from "PIX1"
ppp1 PPP: Phase is FORWARDING, Attempting Forward
ppp1 PPP SSS: Receive SSS-Mgr Connect-Local
ppp1 PPP: Phase is AUTHENTICATING, Unauthenticated User
ppp1 PPP: Phase is FORWARDING, Attempting Forward
ppp1 PPP: Send Message[Connect Local]
ppp1 PPP: Bind to [Virtual-Access1.1]
Vi1.1 PPP: Send Message[Static Bind Response]
Vi1.1 PPP: Phase is AUTHENTICATING, Authenticated User
Vi1.1 CHAP: O SUCCESS id 1 len 4
Vi1.1 PPP: Phase is UP
[output suppressed]
Vi1.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 10
Vi1.1 IPCP:    Address (0x0306AC10E650)
Vi1.1 IPCP: O CONFACK [ACKrcvd] id 2 len 10
Vi1.1 IPCP:    Address (0x0306AC10E650)
Vi1.1 IPCP: State is Open
Vi1.1 IPCP: Install route to
! Session establishment as seen on the client side (PIX/ASA)
%PIX-6-603108: Built PPPOE Tunnel, tunnel_id = 1, remote_peer_ip =
ppp_virtual_interface_id = 1, client_dynamic_ip =
username = PIX1
PIX1# show vpdn pppinterface | exclude MPPE
PPP virtual interface id = 1
PPP authentication protocol is CHAP
Server ip address is
Our ip address is
Transmitted Pkts: 403, Received Pkts: 404, Error Pkts: 0
PIX1# show route out1 | begin Gateway

Gateway of last resort is to network
S* [1/0] via, out1

Example 3-31 registers the PPPoE sessions from the server (Aggregator) standpoint. The server creates /32 routes to each of the clients.

Example 3-32 complements the previous example by documenting an IOS client's point of view of the PPPoE sessions. The IP Control Protocol (IPCP) phase is the component of PPP negotiation in charge of IP address assignment (refer to Example 3-30).

Example 3-31. PPPoE Sessions, as Seen on the Server Side

! Visualizing PPPoE sessions (server side)
SERVER# show pppoe session
     2 sessions in LOCALLY_TERMINATED (PTA) State
     2 sessions total
Uniq ID  PPPoE  RemMAC          Port                  Source   VA         State
           SID  LocMAC                                         VA-st
      2      2  0050.54ff.4c4e  Fa3/0.1230            Vt1      Vi1.1      PTA
                00e0.1e94.7510  VLAN :1230                   UP
      3      3  0015.6200.9871  Fa3/0.1230            Vt1      Vi1.2      PTA
                00e0.1e94.7510  VLAN :1230                   UP
! After IP Address Assignment the Server installs /32 routes to clients
SERVER# show ip route | begin Gateway
Gateway of last resort is not set is variably subnetted, 5 subnets, 2 masks
C is directly connected, Virtual-Access1.1
C is directly connected, Virtual-Access1.2
C is directly connected, FastEthernet3/0.1250
C is directly connected, FastEthernet3/0.1240
C is directly connected, FastEthernet3/0.1230

Example 3-32. PPPoE Sessions, as Seen on the Client Side (IOS-FW)

IOS-FW# show pppoe session
     1 client session
Uniq ID  PPPoE  RemMAC          Port                  Source   VA         State
           SID  LocMAC                                         VA-st
    N/A      3  00e0.1e94.7510  Fa4.1230              Di2      Vi1        UP
                0015.6200.9871  VLAN :1230                   UP
! Characterizing that the Dialer2's IP Address was obtained using IPCP
IOS-FW# show ip interface brief | include Dialer2|Method
Interface                  IP-Address      OK? Method Status                Protocol
Dialer2             YES IPCP   up                    up
! IP Routes that point to interface Dialer2
IOS-FW# show ip route | include Dialer2|Gateway
Gateway of last resort is to network
C is directly connected, Dialer2
C is directly connected, Dialer2

S* is directly connected, Dialer2
9. DHCP Services | Next Section Previous Section