Cisco ASA: How to route PPPoE-assigned subnet?

We've just received a fiber uplink, and I'm trying to configure our Cisco ASA 5505 to properly use it.

The provider requires us to connect via PPPoE, and I managed to configure the ASA as a PPPoE client and establish a connection. The ASA is assigned an IP address by PPPoE, and I can ping out from the ASA to the internet, but I should have access to an entire /28 subnet. I can't figure out how to get that subnet configured on the ASA, so that I can route or NAT the available public addresses to various internal hosts.

My assigned range is: 188.xx.xx.176/28 The address I get via PPPoE is 188.xx.xx.177/32, which according to our provider is our Default Gateway address. They claim the subnet is correctly routed to us on their side.

How does the ASA know which range it is responsible for on the Fiber interface?

How do I use the addresses from my range?

---

To clarify my config; The ASA is currently configured to default-route to our ADSL uplink on port Ethernet0/0 (interface vlan2, nicknamed Outside). The fiber is connected to port Ethernet0/2 (interface vlan50, nicknamed Fiber) so I can configure and test it before making it the default route. Once I'm clear on how to set it all up, I'll fully replace the Outside interface with Fiber.

My config (rather long):

: Saved
:
ASA Version 8.3(2)4 
!
hostname gw
domain-name example.com
enable password ****** encrypted
passwd ****** encrypted
names
name 10.10.1.0 Inside-dhcp-network description Desktops and clients that receive their IP via DHCP
name 10.10.0.208 svn.example.com description Subversion server
name 10.10.0.205 marvin.example.com description LAMP development server
name 10.10.0.206 dns.example.com description DNS, DHCP, NTP
!
interface Vlan2
 description Old ADSL WAN connection
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.252 
!
interface Vlan10
 description LAN vlan 10 Regular LAN traffic
 nameif inside
 security-level 100
 ip address 10.10.0.254 255.255.0.0 
!
interface Vlan11
 description LAN vlan 11 Lab/test traffic
 nameif lab
 security-level 90
 ip address 10.11.0.254 255.255.0.0 
!
interface Vlan20
 description LAN vlan 20 ISCSI traffic
 nameif iscsi
 security-level 100
 ip address 10.20.0.254 255.255.0.0 
!
interface Vlan30
 description LAN vlan 30 DMZ traffic
 nameif dmz
 security-level 50
 ip address 10.30.0.254 255.255.0.0 
!
interface Vlan40
 description LAN vlan 40 Guests access to the internet
 nameif guests
 security-level 50
 ip address 10.40.0.254 255.255.0.0 
!
interface Vlan50
 description New WAN Corporate Internet over fiber
 nameif fiber
 security-level 0
 pppoe client vpdn group KPN
 ip address pppoe 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
 switchport trunk allowed vlan 10,11,30,40
 switchport trunk native vlan 10
 switchport mode trunk
!
interface Ethernet0/2
 switchport access vlan 50
 speed 100
 duplex full
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 switchport access vlan 20
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
boot system disk0:/asa832-4-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server dns.example.com
 domain-name example.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-net 
 subnet 10.10.0.0 255.255.0.0
object network svn.example.com 
 host 10.10.0.208
object network marvin.example.com 
 host 10.10.0.205
object network lab-net 
 subnet 10.11.0.0 255.255.0.0
object network dmz-net 
 subnet 10.30.0.0 255.255.0.0
object network guests-net 
 subnet 10.40.0.0 255.255.0.0
object network dhcp-subnet 
 subnet 10.10.1.0 255.255.255.0
 description DHCP assigned addresses on Vlan 10 
object network Inside-vpnpool 
 description Pool of assignable addresses for VPN clients  
object network vpn-subnet 
 subnet 10.10.3.0 255.255.255.0
 description Address pool assignable to VPN clients 
object network dns.example.com 
 host 10.10.0.206
 description DNS, DHCP, NTP 
object-group service iscsi tcp
 description iscsi storage traffic
 port-object eq 3260
access-list outside_access_in remark Allow access from outside to HTTP on svn.
access-list outside_access_in extended permit tcp any object svn.example.com eq www 
access-list Insiders!_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0 
access-list iscsi_access_in remark Prevent disruption of iscsi traffic from outside the iscsi vlan.
access-list iscsi_access_in extended deny tcp any interface iscsi object-group iscsi log warnings 
!
snmp-map DenyV1
 deny version 1
!
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging monitor warnings
logging buffered warnings
logging history critical
logging asdm errors
logging flash-bufferwrap
logging flash-minimum-free 4000
logging flash-maximum-allocation 2000
mtu outside 1500
mtu inside 1500
mtu lab 1500
mtu iscsi 9000
mtu dmz 1500
mtu guests 1500
mtu fiber 1492
ip local pool DHCP_VPN 10.10.3.1-10.10.3.20 mask 255.255.0.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 10 burst-size 5
asdm image disk0:/asdm-635.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static vpn-subnet vpn-subnet
!
object network inside-net
 nat (inside,outside) dynamic interface
object network svn.example.com
 nat (inside,outside) static interface service tcp www www 
object network lab-net
 nat (lab,outside) dynamic interface
object network dmz-net
 nat (dmz,outside) dynamic interface
object network guests-net
 nat (guests,outside) dynamic interface
access-group outside_access_in in interface outside
access-group iscsi_access_in in interface iscsi
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SBS2003 protocol radius
aaa-server SBS2003 (inside) host 10.10.0.204
 timeout 5
 key *****
aaa authentication enable console SBS2003 LOCAL
aaa authentication ssh console SBS2003 LOCAL
aaa authentication telnet console SBS2003 LOCAL
http server enable
http 10.10.0.0 255.255.0.0 inside
snmp-server host inside 10.10.0.207 community ***** version 2c
snmp-server location Server room
snmp-server contact [email protected]
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group5
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-256_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh scopy enable
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 30
management-access inside
vpdn group KPN request dialout pppoe
vpdn group KPN localname INSIDERS
vpdn group KPN ppp authentication pap
vpdn username INSIDERS password ***** store-local
dhcpd address 10.40.1.0-10.40.1.100 guests
dhcpd dns 8.8.8.8 8.8.4.4 interface guests
dhcpd update dns interface guests
dhcpd enable guests
!

threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host number-of-rate 2
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server dns.example.com source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy Insiders! internal
group-policy Insiders! attributes
 wins-server value 10.10.0.205
 dns-server value 10.10.0.206
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Insiders!_splitTunnelAcl
 default-domain value example.com
username martijn password ****** encrypted privilege 15
username marcel password ****** encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group Insiders! type remote-access
tunnel-group Insiders! general-attributes
 address-pool DHCP_VPN
 authentication-server-group SBS2003 LOCAL
 default-group-policy Insiders!
tunnel-group Insiders! ipsec-attributes
 pre-shared-key *****
!
class-map global-class
 match default-inspection-traffic
class-map type inspect http match-all asdm_medium_security_methods
 match not request method head
 match not request method post
 match not request method get
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
policy-map global-policy
 class global-class
  inspect dns 
  inspect esmtp 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect icmp 
  inspect icmp error 
  inspect mgcp 
  inspect netbios 
  inspect pptp 
  inspect rtsp 
  inspect snmp DenyV1 
!
service-policy global-policy global
smtp-server 123.123.123.123
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:a76bbcf8b19019771c6d3eeecb95c1ca
: end
asdm image disk0:/asdm-635.bin
asdm location svn.example.com 255.255.255.255 inside
asdm location marvin.example.com 255.255.255.255 inside
asdm location dns.example.com 255.255.255.255 inside
asdm history enable

Ag ok, I was under the impression the ASA somehow needed to query the PPPoE server for the range. Some example configs mentioned using ipcp commands for this, but the ASA doesn't have those. This helped a lot.

Could you explain how to set up such a static route to a null device?

for e. g.: ip route ip.ip.ip.ip m.a.s.k Null0 250 name Those_IPs_Are_Mine