0

We have 2x Fortigate 200B firewalls that we wish to operate in Active/Active HA mode - though, obviously, they cannot do this with PPPoE/DHCP enabled on the externally facing interfaces.

To overcome this we want to use a Cisco 1841 as a PPPoE terminator on its f0/1 interface and present a static IP on its f0/0 interface (we have done similar with Cisco 857 boxes to terminate RJ11 ADSL PPPoE connections and forward present on a FE interface in RJ45 for the 200Bs). This will allow us to set both 200Bs to manual and issue them the public IP address.

The general theory is to:

Unnumber the static route address against the LAN f0/0 side with the PPPoE virtual interface Dialer1.

So, we have this config (which works) on our Cisco 857s:

!Internally facing

interface Ethernet0
 ip address [ip.add.ress.here] 255.255.255.248
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 hold-queue 100 out

!Externally facing ADSL connection

interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/35 
  no oam-pvc manage
  pppoe-client dial-pool-number 1

!Virtual PPPoE interface

interface Dialer1
 ip unnumbered Ethernet0
 ip virtual-reassembly
  encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname [our username]
 ppp chap password 7 [our password]
 ppp pap sent-username [our username] password 7 [our password]
!
ip route 0.0.0.0 0.0.0.0 Dialer1

On our 1841 we have this:

! Internally Facing

interface FastEthernet0/0
 ip address [ip.add.ress.here] 255.255.255.248
 ip nat inside
 speed 100
 full-duplex

! Externally Facing

interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1

! Virtual PPPoE Interface

interface Dialer1
 mtu 1492
 ip unnumbered FastEthernet0/0
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname [our username]
 ppp chap password 0 [our password]
 ppp pap sent-username [our username] password 0 [our password]
 no cdp enable
!
no ip classless
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit

But we don't seem to have any luck with this config, can anyone advise?

Myles Gray
  • 659
  • 4
  • 12
  • 33
  • What sort of errors do you get? – NickW Feb 07 '14 at 15:38
  • It's strange in that, console into the Cisco box we can ping 8.8.8.8, PPPoE works etc from that box, however the way in which it transports it to the other ethernet port doesn't. I'm beginning to feel this may be a config problem 200B side rather than what i've done here with the Cisco box - I guess I could assign my laptop a public IP and set it's gateway to be the 1841's internal interface address and see if I can access it. – Myles Gray Feb 07 '14 at 16:01
  • Yeah, that's why I was wondering what the error is, often the client errors can tell you a lot about what's off. – NickW Feb 07 '14 at 16:03
  • Just did the above, Cisco box working perfectly - must be routing on the 200B side. – Myles Gray Feb 07 '14 at 16:17

0 Answers0