Using the PIX Firewall PPPoE Client

Configuring the PPPoE Client Username and Password

To configure the username and password used to authenticate the PIX Firewall to the access concentrator, use the PIX Firewall vpdn command. The vpdn command is used to enable remote access protocols, such as L2TP, PPTP, and PPPoE. To use the vpdn command, you first define a VPDN group and then create individual users within the group. To configure a PPPoE username and password, perform the following steps:

Step 1 Define the VPDN group to be used for PPPoE, by entering the following command:

vpdn group group_name request dialout pppoe


In this command, replace group_name with a descriptive name for the group, such as "pppoe-sbc."

Step 2 If your ISP requires authentication, select an authentication protocol by entering the following command:

vpdn group group_name ppp authentication PAP|CHAP|MSCHAP


Replace group_name with the same group name you defined in the previous step. Enter the appropriate keyword for the type of authentication used by your ISP:

•PAP—Password Authentication Protocol
•CHAP—Challenge Handshake Authentication Protocol
•MS-CHAP—Microsoft Challenge Handshake Authentication Protocol

Note When using CHAP or MS-CHAP, the username may be referred to as the remote system name, while the password may be referred to as the CHAP secret.

Step 3 Associate the username assigned by your ISP to the VPDN group by entering the following command:

vpdn group group_name localname username



Replace group_name with the VPDN group name and username with the username assigned by your ISP.

Step 4 Create a username and password pair for the PPPoE connection by entering the following command:
vpdn username username password pass [store-local]


Replace username with the username and pass with the password assigned by your ISP.

Note The store-local option stores the username and password in a special location of NVRAM on the PIX Firewall. If an Auto Update Server sends a clear config command to the PIX Firewall and the connection is then interrupted, the PIX Firewall can read the username and password from NVRAM and re-authenticate to the Access Concentrator.

Enabling PPPoE on the PIX Firewall


Note You must complete the configuration using the vpdn command, described in "Configuring the PPPoE Client Username and Password," before enabling PPPoE.

The PPPoE client functionality is turned off by default. To enable the PPPoE client, enter the following command.

ip address ifName pppoe [setroute]



Reenter this command to clear and restart the PPPoE session. The current session will be shut down and a new one will be restarted. For example:
ip address outside pppoe


The PPPoE client is only supported on the outside interface of the PIX Firewall. PPPoE is not supported in conjunction with DHCP because with PPPoE the IP address is assigned by PPP. The setroute option causes a default route to be created if no default route exists. The default router will be the address of the access concentrator. The maximum transmission unit (MTU) size is automatically set to 1492 bytes, which is the correct value to allow PPPoE transmission within an Ethernet frame.
Using PPPoE with a Fixed IP Address

You can also enable PPPoE by manually entering the IP address, using the command in the following format:
ip address ifname ipaddress mask pppoe



This command causes the PIX Firewall to use the specified address instead of negotiating with the PPPoE server to assign an address dynamically. To use this command, replace ifname with the name of the outside interface of the PIX Firewall connected to the PPPoE server. Replace ipaddress and mask with the IP address and subnet mask assigned to your PIX Firewall.

For example:
ip address outside 201.n.n.n 255.255.255.0 pppoe

Ngoài ra, bạn xem thêm link này:

Cam on Thay!
Document nay em da doc wa roi....hom nay doc them duoc 1 document nua from Cisco.
Troubleshooting Information:


Authentication fails (for example, bad username/password).

Rcvd Link Control Protocol pkt, Action code is: Echo Reply,
len is: 4 Pkt dump: d0c3305c

PPP pap recv authen nak: 41757468656e7469636174696f6e206661696c757265
PPP PAP authentication failed
Rcvd Link Control Protocol pkt, Action code is: Termination Request,
len is: 0

Authentication protocol is invalid (for example, PAP/CHAP misconfigured).

Xmit Link Control Protocol pkt, Action code is:
Config Request, len is: 6
Pkt dump: 05064a53ae2a
LCP Option: MAGIC_NUMBER, len: 6, data: 4a53ae2a

Rcvd Link Control Protocol pkt, Action code is: Config Request, len is: 14
Pkt dump: 010405d40304c0230506d0c88668
LCP Option: Max_Rcv_Units, len: 4, data: 05d4
LCP Option: AUTHENTICATION_TYPES, len: 4, data: c023
LCP Option: MAGIC_NUMBER, len: 6, data: d0c88668


PPPoE server does not respond, retry every 30 seconds.

send_padi:(Snd) Dest:ffff.ffff.ffff Src:0007.5057.e27e T
ype:0x8863=PPPoE-Discovery

Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
Type:0101:SVCNAME-Service Name Len:0
Type:0103:HOSTUNIQ-Host Unique Tag Len:4 00000001

padi timer expired

send_padi:(Snd) Dest:ffff.ffff.ffff Src:0007.5057.e27e
Type:0x8863=PPPoE-Discovery

Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
Type:0101:SVCNAME-Service Name Len:0
Type:0103:HOSTUNIQ-Host Unique Tag Len:4 00000001

padi timer expired

send_padi:(Snd) Dest:ffff.ffff.ffff Src:0007.5057.e27e
Type:0x8863=PPPoE-Discovery

Ver:1 Type:1 Code:09=PADI Sess:0 Len:12
Type:0101:SVCNAME-Service Name Len:0
Type:0103:HOSTUNIQ-Host Unique Tag Len:4 00000001

padi timer expired


Em nghi van de cua em nam o truong hop thu 3: "PPPoE server does not respone"
Tai sao lai xay ra dieu nay!!!
Hy vong cac ban va ca Thay explain.....thnx!!!!!

modem adsl của bạn đảm bảo chạy tốt? Đã test thử line adsl đó bằng thiết bị nào khác với PIX chưa?

Lần trước mình cũng config PPPOE trên ASA5510, Cậu bảo ISP reset lại phía họ giúp mình, tớ nghĩ chắc là ok đấy

Thua Thay!!! truoc do cai modem ADSL cua em da test voi cai Cisco LinkSys Router roi!!! PPPoE Ok!
Con doi voi PIX thi chua duoc!!!
Thanks hoannx!!! Minh se bao NetNam reset lai!!! Ah!!! Luc truoc ban config PPPoE tren ASA voi ISP nao vay....

Thanks hoannx once again!!!!
I did it....
Cai thang NetNam ISP hardcode cai MAC address cua con LinkSys Cisco Router...
Minh fai bao ISP cai MAC address cua PIX......hehe
Thanks everyone!!!