PPPoE cisco

PPPoE 246

Point-to-Point Agreement over Ethernet (PPPoE), accurate in RFC 2516, is an

encapsulation of Point-to-Point Agreement (PPP, RFC 1661) for Ethernet networks

(which accommodate DSL modems and cable connections). PPPoE is generally acclimated in

SOHO environments because it allows ISPs to use their absolute alien access

infrastructure and, as its best important feature, allows accurate IP address

assignment. PPPoE links are accustomed in two capital phases:

 Alive analysis appearance During this aboriginal phase, a PPPoE client

attempts analysis of the PPPoE server, additionally alleged the abode concentrator

(AC).The PPPoE band is accustomed and a affair ID is assigned.

 PPP affair appearance A PPP articulation is accustomed (encapsulated in

Ethernet) by the accepted means: options and articulation band protocols are negotiated

etc. PPP affidavit (PAP, CHAP, or MS-CHAP) is performed.

After the affair is established, abstracts campaign amid endpoints encapsulated in

PPPoE headers.

The PIX firewall supports PPPoE back software adaptation 6.2. Best of the

PPPoE agreement is performed appliance the vpdn command. PPPoE configuration

starts with configuring the username and countersign to be acclimated by the PIX in

establishing a articulation to the server.

NOTE

The PIX alone supports PPPoE applicant functionality. PPPoE audience can be

enabled alone on the alfresco interface at this time (version 6.2).

First, a VPDN accumulation needs to be created:

vpdn accumulation appeal dialout pppoe

www.syngress.com

210 Affiliate 4 • Avant-garde PIX Configurations

The group_name constant can be annihilation you like. It is acclimated to accumulation all

PPPoE settings together. For example:

PIX1(config)# vpdn accumulation my-pppoe-group appeal dialout pppoe

Then the affidavit blazon needs to be called (if appropriate by an ISP):

vpdn accumulation affidavit pap | buck | mschap

PAP is Countersign Affidavit Protocol, CHAP is Challenge-Handshake

Authentication Protocol, and MS-CHAP is Microsoft’s adaptation of CHAP.With

the aforementioned accumulation name, this command selects an affidavit agreement for this

specific PPPoE group—for example, with CHAP authentication:

PIX1(config)# vpdn accumulation my-pppoe-group ppp affidavit chap

Your ISP assigns the username and countersign to your system, and they are

configured on PIX with the afterward commands:

vpdn accumulation localname

vpdn username countersign

The added of these commands assembly a username with the password, and

the aboriginal command assigns the username to be acclimated for a specific group, for

example:

PIX1(config)# vpdn accumulation my-ppoe-group localname witt

PIX1(config)# vpdn username witt countersign cruelmail

These commands accredit the username witt and countersign cruelmail to be used

for the PPPoE dialout accumulation my-pppoe-group. After configuring authentication, the

next assignment is to accredit the PPPoE applicant on the PIX.This is done in the configuration

of the alfresco interface:

ip abode alfresco pppoe [setroute]

After this command is entered, the accepted PPPoE affair is concluded and a

new one is established.The setroute constant allows automatically ambience the

default avenue for the alfresco interface.The MTU on the alfresco interface is automatically

set to 1492, which is the actual ambience to accommodate PPPoE encapsulation.

It is additionally accessible to baptize a anchored IP abode for the alfresco interface.

The PIX still has to accommodate the ISP with the actual username and countersign in

order to authorize the session:

PIX1(config)# ip abode alfresco 1.2.3.4 255.255.255.0 pppoe

www.syngress.com

Advanced PIX Configurations • Affiliate 4 211

It is accessible to use the dhcp auto_config command if you run the DHCP

server on PIX in adjustment to aces up DNS and WINS settings from your provider

via the PPPoE client:

PIX1(config)# dhcpd auto_config outside

To adviser and troubleshoot the PPPoE client, use the afterward commands:

show ip abode alfresco pppoe

debug pppoe accident | absurdity | packet

show vpdn affair pppoe [id |packets|state|window]

Examples of achievement are as follows:

PIX1(config)# appearance vpdn

Tunnel id 0, 1 alive sessions

time back change 10240 secs

Remote Internet Abode 10.0.1.1

Local Internet Abode 192.168.2.254

1006 packets sent, 1236 received, 98761 bytes sent, 123765 received

Remote Internet Abode is 10.0.1.1

Session accompaniment is SESSION_UP

Time back accident change 10237 secs, interface outside

PPP interface id is 1

1006 packets sent, 1236 received, 98761 bytes sent, 123765 received

PIX1(config)# appearance vpdn tunnel

PPPoE Tunnel Advice (Total tunnels=1 sessions=1)

Tunnel id 0, 1 alive sessions

time back change 10240 secs

Remote Internet Abode 10.0.1.1

Local Internet Abode 192.168.2.254

1006 packets sent, 1236 received, 98761 bytes sent, 123765 received

PIX1(config)# appearance vpdn session

PPPoE Affair Advice (Total tunnels=1 sessions=1)

Remote Internet Abode is 10.0.1.1

Session accompaniment is SESSION_UP

Time back accident change 100238 secs, interface outside

PPP interface id is 1

1006 packets sent, 1236 received, 98761 bytes sent, 123765 received

www.syngress.com

212 Affiliate 4 • Avant-garde PIX Configurations

Summary

The Cisco PIX firewall is an avant-garde artefact and has abounding altered options

for acknowledging assorted application-layer protocols as able-bodied as attention against

network-layer attacks. It additionally supports agreeable clarification for outbound Web access,

intrusion detection, assorted acquisition options such as RIP and butt multicast

routing, and DHCP server and applicant functionality.

Many protocols bury added IP abode advice central the exchanged

packets or accommodate added admission on nonfixed ports in adjustment to function

properly.These functions are handled by the PIX appliance analysis feature

(also accepted as fixup). PIX supports FTP audience and servers in alive and

passive modes, DNS, RSH, RPC, SQL*Net, and LDAP protocols. It additionally supports

various alive protocols such as Real-Time Alive Protocol, NetShow,

and VDO Live. Another set of accurate protocols includes all H.323, SCCP, and

SIP—all acclimated in VoIP applications.The PIX monitors casual packets for the

embedded advice and updates its tables or permits beginning connections

according to this information. It is additionally able to NAT these anchored addresses in

several cases.

Content clarification appearance on the PIX can be acclimated to accomplish a company’s

acceptable use policy.The PIX can interface with Websense (www.websense.com)

or N2H2 (www.n2h2.com) servers and abjure or acquiesce centralized audience admission specific

Web sites.The PIX is additionally able to clarify out Java applets and ActiveX code

from admission Web pages to assure audience adjoin awful code.

The PIX firewall supports the aforementioned set of diminutive advance apprehension signatures

as the Cisco IOS firewall.This set is a subset of signatures accurate by the

Cisco Secure IDS product.These signatures are disconnected into two sets: informational

and attack. It is accessible to configure altered acknowledgment options for anniversary set

of signatures.The responses ambit from simple alerting via syslog to blocking the

connection in which a signature was detected.

For SOHO environments, the PIX firewall provides DHCP server and client

functionality, although server capabilities are rather limited. DHCP server supports

a brace of specific options that are acclimated by Cisco IP Phones. Added useful

PIX appearance accommodate abutment of butt multicast acquisition and PPP over Ethernet

client capabilities. It additionally supports RIP versions 1 and 2, including authentication

and multicast updates for adaptation 2.

Finally, the PIX has anchored aegis adjoin assorted DoS attacks, such as

SYN floods, attacks on AAA mechanisms, and boundless fragmentation.

Antispoofing is accurate by the reverse-path forwarding feature.

www.syngress.com

Advanced PIX Configurations • Affiliate 4 213

Solutions Fast Track

Handling Avant-garde Protocols

 Abounding applications use added than one affiliation to operate; alone one

of these admission occurs on a acclaimed port, admitting others use

dynamically assigned anchorage numbers, which are adjourned in the process

of communication.This makes firewalling by agency of admission lists very

difficult.The PIX supports appliance analysis for abounding such

protocols, which allows it to accomplish accurately with them.

 The capital command acclimated to configure appliance analysis is the fixup

command. It can be acclimated for simpler protocols such as FTP, SMTP, or

RSH.

 Newer versions of the PIX firewall action abutment for assorted VoIP

protocols, such as H.323, SCCP, and SIP.

Filtering Web Traffic

 Clarification Web cartage can be advantageous in two capital cases.The aboriginal is if you

want to use your firewall to accomplish aegis behavior such as an

acceptable use policy, which may specify that centralized users cannot use

the company’s Internet affiliation to browse assertive categories of Web

sites.The added is to assure centralized users from awful Web servers

that bury these executable applets in their Web pages, because such

executable agreeable can accommodate bacilli or Trojan horses.

 The PIX supports two types of agreeable clarification servers:Websense and

N2H2.The capital commands for configuring this affection are filter-url and

url-server.The PIX additionally provides abounding commands for ecology and

tuning the clarification process.

 Alive cipher clarification is bound to stripping and tags

from the antecedent of entering Web pages.This stripping can alone occur

when aperture and closing tags are independent in the aforementioned IP packet.This

filtering is configured with the clarify java and clarify activex commands.

www.syngress.com

214 Affiliate 4 • Avant-garde PIX Configurations

Configuring Advance Detection

 The PIX supports a bound anchored set of (over 55) IDS signatures.

These are signatures that can be detected by analytical a distinct packet

and do not crave any affair information.This set can be adapted only

by advance the PIX software.

 The signatures are disconnected into two sets: advisory and attack. It is

possible to configure altered acknowledgment options for anniversary set—syslog

alarm, bottomward the packet, or bottomward the accomplished affiliation in which

the advance has occurred.

 Any signature can be disabled so that it will no best be detected.This

change has a all-around effect; this signature will not be detected on any

interface by any analysis until the signature is enabled again.

DHCP Functionality

 The Cisco PIX firewall can act both as a DHCP server and a client. PIX

DHCP appearance are best ill-fitted for baby networks because they have

some limitations—for example, a DHCP server can abutment a maximum

of 256 clients.There is additionally no BOOTP abutment and no failover support.

 The DHCP applicant can be configured alone on the alfresco interface. It is

able to admission an IP address, subnet mask, absence route, and DNS and

WINS settings from the server.The acquired abode can be acclimated for

NAT or PAT on the alfresco interface.

 The DHCP server can be configured alone on the central interface and

serves alone anon affiliated clients.The cardinal of alive audience is

dependent on the PIX archetypal and software version. It is accessible to pass

some settings that are acquired by PIX DHCP audience from the outside

interface to the DHCP server alive on the central interface.

Other Avant-garde Features

 The PIX has congenital aegis adjoin DoS attacks such as SYN floods

and AAA ability exhaustion. It additionally supports basic reassembly of IP

fragments and can appoint some added limitations on burst traffic.

www.syngress.com

Advanced PIX Configurations • Affiliate 4 215

 The PIX supports antispoofing aegis appliance reverse-path forwarding

(RPF). It additionally supports avant-garde acquisition appearance such as dynamic

routing appliance RIP versions 1 and 2 and butt multicast routing.

 The PIX firewall can act as a PPPoE applicant on DSL or cable

connections.

Q: What happens back FTP fixup is not enabled?

A: There are several cases:

 Outbound alive FTP sessions will not assignment because the alfresco servers

will not be able to accessible a abstracts approach to an central client.

 Outbound acquiescent FTP sessions will assignment commonly if outbound cartage is

not absolutely disabled, because all admission in this case are initiated

by an central client.

 Entering FTP alive admission will assignment commonly if there are a static

NAT admission and an admission account acceptance alfresco audience to affix to the

inside server.

 Entering FTP acquiescent FTP admission will not assignment because outside

clients will not be able to accessible abstracts admission to the central server.

Q: I accept a PIX and an SMTP server configured on its central network.

Sometimes I get two copies of admission mail messages.What is amiss with

my server?

A: Nothing is wrong; there is a slight misbehavior on the PIX side.You probably

have fixup agreement smtp configured. Some versions of PIX software accelerate an

error bulletin to relaying servers back a final dot in the bulletin anatomy and

are not in the aforementioned IP packet. In this case, your centralized server

accepts the bulletin for delivery, but the alfresco relaying server treats this as

www.syngress.com

Frequently Asked Questions

The afterward Frequently Asked Questions, answered by the authors of this book,

are advised to both admeasurement your compassionate of the concepts presented in

this affiliate and to abetment you with real-life accomplishing of these concepts. To

have your questions about this affiliate answered by the author, browse to

www.syngress.com/solutions and bang on the “Ask the Author” form.

216 Affiliate 4 • Avant-garde PIX Configurations

an absurdity and attempts commitment again. Best of the time, this action does

not appear alert in a row, so the added time commitment goes after error

and you accept two copies of the aforementioned message. If this absolutely irritates you,

either about-face SMTP fixup off or advancement the PIX software.

Q: Is it accessible to clarify e-mail agreeable in any way agnate to Web content

filtering?

A: No, this is not possible.The PIX does not audit the capacity of TCP

packets accompanying to e-mail and currently does not abutment any alfresco filtering

servers.

Q: I accept two links to my ISP, and I angry on RPF. Now bisected my cartage is being

denied by the PIX.What should I do?

A: The alone band-aid actuality is to about-face RPF analysis off. It artlessly does not

work in a bearings with agee routing, area a acknowledgment to the packet may

come on a aisle added than the packet itself.

Q: I cannot get NFS to assignment through the PIX, although I configured an access

list that permits audience admission to the portmapper on the server.

A: You are apparently appliance NFS over TCP.The PIX does not abutment application

inspection for RPC admission over TCP. Reconfigure your server to use

UDP only.