PPPoE and the PIX Firewall

PPPoE and the PIX Firewall

Point-to-Point Protocol over Ethernet (PPPoE) incorporates two widely used and understood standards: PPP and Ethernet. The PPPoE specification connects hosts on an Ethernet to the Internet through a common broadband medium, such as DSL line, cable modem, or wireless device. With PPPoE, the principles of Ethernet supporting multiple users in a LAN are combined with the principles of PPP, which uses serial connections. Figure 21-4 shows a simple PPPoE installation.

Click To expand
Figure 21-4: PDM graphical interface showing the System Properties page

PPPoE client was introduced on the PIX Firewall with PIX OS version 6.2. The Cisco PPPoE implementation is specifically targeted for smaller implementations using the low-end PIX (501/506) devices. PPPoE is currently only supported on the outside interface of the PIX Firewall devices. Layer Two Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP) aren’t currently supported with PPPoE in PIX OS version 6.2.

Once configured, all traffic is encapsulated with PPPoE/PPP headers with Password Authentication Protocol (PAP) as the default authentication mechanism. You can configure Challenge Handshake Authentication Protocol (CHAP) or MS-CHAP manually.

The following are the basic commands required to configure PPPoE features for the inbound connections:

  1. Use the vpdn group group_name request dialout pppoe command to define a VPDN group to be used for PPPoE. Unless the VPDN group for PPPoE is configured, PPPoE won’t be able to establish a connection. The group_name is an ASCII string up to 63 characters in length.

  2. If the ISP requires authentication, use the vpdn group group_name ppp authentication {PAP | CHAP | MSCHAP} command to select the authentication protocol used by the ISP. The Windows dial-up networking client setting allows selecting PAP, CHAP, or MS-CHAP authentication protocol to use. The protocol specified on the client must match the setting on the PIX Firewall. If an authentication protocol isn’t specified on the client, the PIX will use PPP as the default. Do not specify the ppp authentication option in the configuration.

  3. Use the vpdn group group_name localname username command to associate the user name assigned by your ISP with the VPDN group. This is also the user name used in the vpdn username command (Step 4).

  4. Use the vpdn username username password password command to create a user name and password pair to be used for the PPPoE connection. The user name must be a user name already used in the vpdn group command (Step 3).

  5. The PPPoE client functionality is turned off by default, so after VPDN configuration, enable PPPoE with the ip address if_name pppoe [setroute] command. The Setroute option causes a default route to be created if no default route exists. The PPPoE vpdn commands must be configured before enabling PPPoE with the ip address pppoe command.

The following is a sample PPPoE configuration:

Pix(config)# vpdn group pppoegrp1 request dialout pppoe 
Pix(config)# vpdn group pppoegrp1 localname test1 
Pix(config)# vpdn group pppoegrp1 ppp authentication pap 
Pix(config)# vpdn username test1 password test1pass 
Pix(config)# ip address outside pppoe setroute

Use the show vpdn tunnel [pppoe] command to display tunnel information:

Pix# show vpdn tunnel pppoe
PPPoE Tunnel Information (Total tunnels=1 sessions=1)
Tunnel id 1 is up, remote id is 7, 1 active sessions 
 ?Tunnel state is established, time since change 12 secs 
 ?Remote Internet Address, port 1701 
 ?Local Internet Address, port 1701 
 ?37 packets sent, 63 received, 511 bytes sent, 5719 received 
 ?Control Ns 3, Nr 4 
 ?Local RWS 16, Remote RWS 8 
 ?Retransmission time 1, max 1 seconds 
 ?Unsent queuesize 0, max 0 
 ?Resend queuesize 0, max 1 
 ?Total resends 0, ZLB ACKs 2 
 ?Retransmit time distribution: 0 0 0 0 0 0 0 0 0 

Use the show vpdn username command to display the user name. The password is always encrypted.

Pix# show vpdn username
vpdn username test1 password *********

Use the show vpdn session command to display the session information and the show vpdn pppinterface command to display the interface identification value.

Part III: Virtual Private Networks (VPNs)