PPPOE
1. set the CT route to bridge mode
2. configed the pppoe on the asa5515
fw02# show running-config vpdn
vpdn group CT request dialout pppoe
vpdn group CT localname user1234
vpdn group CT ppp authentication pap
vpdn username user1234 password *****
fw02# show run
fw02# show running-config int
fw02# show running-config interface g0/5
!
interface GigabitEthernet0/5
nameif outside
security-level 0
dhcp client update dns
pppoe client vpdn group CT
ip address pppoe setroute
fw02#
fw02# show vpdn session pppoe state
PPPoE Session Information (Total tunnels=1 sessions=1)
SessID TunID Intf State Last Chg
22408 5 outside SESSION_UP 28161 secs
3. publish http service to internet
fw02# show running-config access-list
access-list SSH extended permit ip any any
access-list SSH extended permit tcp any any log critical
access-list OUT extended permit icmp any any log
access-list OUT extended permit tcp any any eq www
access-list IN extended permit tcp any any eq 8888 log
access-list IN extended permit tcp any any eq www
access-list IN extended permit udp host x.x.x.x any
access-list IN extended permit tcp host x.x.x.x any
fw02# show running-config nat
!
object network OA
nat (inside,outside) static interface service tcp www 8888
!
nat (inside,outside) after-auto source dynamic OA interface
fw02#
fw02# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static OA interface service tcp www 8888
translate_hits = 0, untranslate_hits = 78
Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic OA interface
translate_hits = 473, untranslate_hits = 0
fw02#
fw02# packet-tracer input outside tcp 8.8.8.8 12345 x.x.x.x 8888 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network OA
nat (inside,outside) static interface service tcp www 8888
Additional Information:
NAT divert to egress interface inside
Untranslate x.x.x.x/8888 to x.x.x.x/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT in interface outside
access-list OUT extended permit tcp any any eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac4a10fe0, priority=13, domain=permit, deny=false
hits=2, user_data=0x2aaab9906b80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac3eb0280, priority=7, domain=conn-set, deny=false
hits=224, user_data=0x2aaacabcf980, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic OA interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaab9bb49f0, priority=6, domain=nat, deny=false
hits=40, user_data=0x2aaac276e650, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=x.x.x.x, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2b1f880, priority=0, domain=nat-per-session, deny=false
hits=29568, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac44e2400, priority=0, domain=inspect-ip-options, deny=true
hits=7307, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac4aace50, priority=70, domain=inspect-icmp, deny=false
hits=50, user_data=0x2aaac4ac4ed0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac4380a90, priority=20, domain=lu, deny=false
hits=132, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac4b56900, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=1216, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network OA
nat (inside,outside) static interface service tcp www 8888
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac447d000, priority=6, domain=nat-reverse, deny=false
hits=50, user_data=0x2aaac4480120, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=x.x.x.x, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac2b1f880, priority=0, domain=nat-per-session, deny=false
hits=29570, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac475d220, priority=0, domain=inspect-ip-options, deny=true
hits=5834, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7981, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
fw02#