The Point-to-Point Protocol over Ethernet (PPPoE) is an ethernet encapsulation of the Point-to-Point Protocol used most commonly for serial or dial-up connections. PPPoE's main purpose is similar to that of a DHCP client/server scenario. PPPoE clients receive IP address information from an ISP acting as a PPPoE server. The advantage of PPPoE over DHCP is that it can require a username and password authentication before giving out connection information. Typical areas where this might be used are cable modems or DSL line configuration. Configuring PPPoE on the PIXThe PIX firewall can support client PPPoE configurations only on the outside interface. To configure PPPoE, the vpdn command is needed. This command is a versatile command that is also used for creating VPN tunnels into the PIX. The steps to creating a PPPoE client configuration are as follows :
The vpdn group CommandThe vpdn group command creates a group with which all parameters for the PPPoE connection will be associated. The following displays the syntax of the vpdn group command for PPPoE: pixfirewall(config)# vpdn group <group_name> request dialout pppoe Table 8.7 displays the command options for the vpdn command for PPPoE. Table 8.7. vpdn group command options
The following command demonstrates configuring a VPDN group named ExamCram that is using PPPoE as the requested dial-out connection: pixfirewall(config)# vpdn group ExamCram request dialout pppoe The vpdn group authentication CommandJust like PPP, PPPoE can use authentication. The PIX currently supports three types of authentication: PAP, CHAP, and MSCHAP. Its command syntax is shown here: pixfirewall(config)# vpdn group <group_name> ppp authentication <papchapmschap> This command demonstrates setting a VPDN group named ExamCram to use PAP for authentication: pixfirewall(config)# vpdn group ExamCram ppp authentication pap The vpdn group localname CommandWhen connecting to an ISP, a username is given to the account, and this username must be linked to the VPDN group you are using for the PPPoE connection. The localname command links the username to the VPDN group. The command syntax is pixfirewall(config)# vpdn group <group_name> localname <username> The command shown here demonstrates setting a VPDN group named ExamCram with a local name of danny that will be sent to the ISP during the authentication phase: pixfirewall(config)# vpdn group ExamCram localname danny The vpdn username and password CommandThe vpdn group localname command specifies only the username needed to connect to the ISP. However, the ISP also needs a password. This password is created separately from the vpdn group commands, but it is associated back to the group by using the same name as in the vpdn group localname command. For example, if you created a localname called danny , you would also create a username and password entry with danny . Here is the command syntax: pixfirewall(config)# vpdn username <name> password <pwd> This command demonstrates setting a VPDN username and password that will be sent to the ISP during the authentication phase. After it's configured, the PIX firewall will not require user interaction during the connection phase: pixfirewall(config)# vpdn username danny password 123
The ip address CommandThe last step is to enable PPPoE on the outside interface. The ip address command is used to enable PPPoE on the interface, and its command syntax is as follows: pixfirewall(config)# ip address <if_name> <ip_address> <mask> pppoe [setroute] The setroute option enables you to receive the default route from the ISP PPPoE server. The following is an example of setting the outside interface to use PPPoE with the setroute option: pixfirewall(config)# ip address outside pppoe setroute A PPPoE ExampleListing 8.4 displays the five commands needed to create a PPPoE client configuration on the PIX firewall. Listing 8.4 Example Using PPPoEpixfirewall(config)# vpdn group ExamCram request dialout pppoe pixfirewall(config)# vpdn group ExamCram ppp authentication pap pixfirewall(config)# vpdn group ExamCram localname danny pixfirewall(config)# vpdn username danny password 123 pixfirewall(config)# ip address outside pppoe setroute |