Unrestricted APN Needed ?

[ngwenyas]

Hi

I suggest the following: activate InternetVPN on the sim card in the router/ modem you are using and change APN to InternetVPN. Connect and try whatever you are trying to do and see if it works. If you have tried that already, then ignore this message. Many friends try to do funny things that I dont understand but I found that the InternetVPN has sorted out most of their problems.

I doubt you will get any joy using the internet apn.

[ambo]

I found it in a config test example

Don't believe everything you read on the Internet

Assumed as it was an example it could be used -- my bad
As I understand a loopback -- it allows you to access the router if there is a problem with a hardware interface ?
IF I understand correctly the IP I am using on loopback0 is not being used outside the router ?

This is only relevant if you are running a network with multiple routers and an IGP like EIRGP, IS-IS or OSPF.

What do you propose I change it to ( atm I only need it accessible to my own network -- private) ?

Set it to 127.0.0.1 to avoid breaking anything.

Code:

Cellular0/0/0 is administratively down, line protocol is down

Dialer0 is administratively down, line protocol is down

If the interfaces are down then obviously nothing will work.

We still have zero clarity on what's not working.

[ambo]

My guess is that this thread will end in silence when the OP realises the problem is on his side.
Im not so sure what the massive need for PAT is, surely you only have access to one external IP and therefore normal NAT would be sufficient?

We're all talking about the same thing when we refer to PAT and NAT. PAT is the slightly more correct term but functionally it is the same as the 'NAT' that most consumer routers use.

[b@nD]

We're all talking about the same thing when we refer to PAT and NAT.
PAT is the slightly more correct term but functionally it is the same as the 'NAT' that most consumer routers use.

Hi ,
Everything is up & up ( earlier output was from a test )
Following suggestions I have removed the loopback interface
I have changed the list that brings up the dialer ( simplified )
I have checked other access lists ( someone thought that they might be interfering with traffic)

I can bring up the dialer from the PC -- no problem
Logging shows that traffic is passing without any blocking

Code:

Fangorn#

Dialer brought up from PC
*Jul 23 11:36:00.058 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.26 -> 196.220.59.189, 1 packet



Access to DNS servers allowed
Fangorn#
*Jul 23 11:36:01.058 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.26 -> 196.43.1.14, 1 packet

*Jul 23 11:36:02.058 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.26 -> 196.220.59.188, 1 packet



Dialer coming up
*Jul 23 11:36:02.250 SAST: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
*Jul 23 11:36:02.250 SAST: %DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di0
Fangorn#
*Jul 23 11:36:02.322 SAST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up



Another DNS server
Fangorn#
*Jul 23 11:36:04.058 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.26 -> 196.43.38.190, 1 packet


Fangorn#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0
      41.0.0.0/32 is subnetted, 1 subnets
C        41.8.4.92 is directly connected, Dialer0
      192.168.40.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.40.0/24 is directly connected, FastEthernet0/0
L        192.168.40.3/32 is directly connected, FastEthernet0/0
Fangorn#

Code:

Traffic on the connected dialer interface with IP as allocated above

Fangorn#
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.17.15.11 -> 41.9.249.255, 3 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.9.249.255 -> 196.207.35.29, 8 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 196.207.35.29 -> 41.9.249.255, 8 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.9.249.255 -> 196.25.1.200, 43 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 10.242.202.2 -> 41.9.249.255, 2 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 196.207.35.36 -> 41.9.249.255, 2 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 196.207.35.244 -> 41.9.249.255, 2 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.0.148.1 -> 41.9.249.255, 2 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.0.144.5 -> 41.9.249.255, 3 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 196.25.91.61 -> 41.9.249.255, 2 packets


Internal interface trying to get to DNS again

Fangorn#
*Jul 23 11:41:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.26 -> 196.220.59.189, 1 packet
*Jul 23 11:41:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.26 -> 196.43.1.14, 1 packet
*Jul 23 11:41:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.26 -> 196.220.59.188, 1 packet
*Jul 23 11:41:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.26 -> 4.2.2.3, 1 packet

WHO are ........

*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.0.148.1 -> 41.9.249.255, 2 packets
*Jul 23 11:37:47.194 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.0.144.5 -> 41.9.249.255, 3 packets

That look like they are broadcasting ? ESSR ??????


As far as I ( moi ) can work out things are OK on my side ??????

[Sinbad]

That's probably someone doing some kind of scan...

Are your inside machines able to access the net now?

[b@nD]

That's probably someone doing some kind of scan...
Are your inside machines able to access the net now?

NO
Those are ALL Voda addresses -- I do not see "my" address 41.8.4.92 in those logs anywhere
[Edit]
196.25.1.200 is saix.net
196.25.x.x is normally a Telkom / SAIX IP
196.43.x.190 is normally Telkom / SAIX DNS
It looks to me like an internal ping-pong on the Voda drum
But anyway what do I know -- I know nothing about Cisco or IP ! )
http://en.ntunhs.net/IPInfo/EN/41/0.htm
[/Edit]
NO
Until I get a second public INTERFACE /32 IP address I will NEVER be able to

THIS is the absolute main crucial point that I NOT getting any feedback on !

[ambo]

NO
Those are ALL Voda addresses -- I do not see "my" address 41.8.4.92 in those logs anywhere
NO
Until I get a second public INTERFACE /32 IP address I will NEVER be able to

You only get one IP and you NAT/PAT everything behind that... surely?

Code:

C        41.8.4.92 is directly connected, Dialer0

THIS is the absolute main crucial point that I NOT getting any feedback on !

You still haven't provided the trace from the router that I requested:

Code:

traceroute 8.8.8.8

[Sinbad]

[QUOTE=ambo;8620851]

NO
Those are ALL Voda addresses -- I do not see "my" address 41.8.4.92 in those logs anywhere
NO
Until I get a second public INTERFACE /32 IP address I will NEVER be able to
You only get one IP and you NAT/PAT everything behind that... surely?

Code:

C        41.8.4.92 is directly connected, Dialer0

You still haven't provided the trace from the router that I requested:

Code:

traceroute 8.8.8.8

You don't need a second IP.
The whole point of overload NAT is that your traffic appears to come from the dialer0 interface.

turn on debug ip nat and show us the output?

[b@nD]

You don't need a second IP.

I am afraid it looks like you DO

The whole point of overload NAT is that your traffic appears to come from the dialer0 interface.
turn on debug ip nat and show us the output?

One for the GATEWAY -- One for the INTERFACE !

Dialer0 is the GATEWAY ................

[Sinbad]

I am afraid it looks like you DO

One for the GATEWAY -- One for the INTERFACE !

Nope. Never ever seen an interface needing two IPs before.
Do me a favour - take the hardcoded ip route 0.0.0.0 out of your config and let the router do the routing itself? It might be that you need the next hop to be the PPP peer rather than your own interface.

[b@nD]

As requested -- ...........

Code:

Fangorn#traceroute 8.8.8.8

Type escape sequence to abort.
Tracing the route to
*Jul 23 13:05:25.661 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.3 -> 196.207.35.29, 1 packet
*Jul 23 13:05:27.853 SAST: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
*Jul 23 13:05:27.853 SAST: %DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di0
*Jul 23 13:05:27.917 SAST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up
*Jul 23 13:05:31.661 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.12.2.129 -> 196.207.35.29, 1 packet
*Jul 23 13:05:34.661 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.12.2.129 -> 196.207.35.30, 1 packet  8.8.8.8

  1
*Jul 23 13:05:43.661 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.12.2.129 -> 8.8.8.8, 1 packet   *  *  *
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *

*Jul 23 13:06:31.781 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 217.163.45.253 -> 41.12.2.129, 1 packet  te-9-2.car5.London1.Level3.net (217.163.45.253) 312 msec 608 msec
  7 ae-11-51.car1.London1.Level3.net (4.69.139.66) 276 msec 300 msec 280 msec
  8
*Jul 23 13:06:32.981 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 196.207.35.29 -> 41.12.2.129, 1 packet  195.50.118.210 372 msec 276 msec 268 msec
  9
*Jul 23 13:06:35.189 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 195.50.118.210 -> 41.12.2.129, 1 packet  209.85.255.76 280 msec 312 msec 520 msec
 10
*Jul 23 13:06:36.541 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 209.85.255.76 -> 41.12.2.129, 1 packet  209.85.253.94 [MPLS: Label 307850 Exp 4] 300 msec
    209.85.253.196 [MPLS: Label 796428 Exp 4] 300 msec

*Jul 23 13:06:38.273 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 209.85.253.94 -> 41.12.2.129, 1 packet  209.85.253.90 [MPLS: Label 771740 Exp 4] 300 msec
 11
*Jul 23 13:06:39.913 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 209.85.253.90 -> 41.12.2.129, 1 packet  66.249.95.173 [MPLS: Label 572349 Exp 4] 328 msec
    72.14.232.134 [MPLS: Label 497875 Exp 4] 620 msec
    66.249.95.173 [MPLS: Label 598381 Exp 4] 300 msec
 12
*Jul 23 13:06:41.761 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 72.14.232.134 -> 41.12.2.129, 1 packet  209.85.251.231 280 msec 288 msec 280 msec
 13
*Jul 23 13:06:43.001 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 209.85.251.231 -> 41.12.2.129, 1 packet   *  *  *
 14  *  *  *
 15  *  *  *
 16  *  *  *
 17  *  *  *
 18  *  *  *
 19  *  *  *
 20  *

Should be able to work out something from those MPLS labels -- should I go look them up now ????

LONDON again -- got to be those DAMN Olympics

[Sinbad]

As requested -- ...........

Should be able to work out something from those MPLS labels -- should I go look them up now ????

LONDON again -- got to be those DAMN Olympics

Sheesh, you like to overcomplicate things!

MPLS labels aren't relevant.

debug ip nat :P

[b@nD]

Nope. Never ever seen an interface needing two IPs before.
Do me a favour - take the hardcoded ip route 0.0.0.0 out of your config and let the router do the routing itself?
It might be that you need the next hop to be the PPP peer rather than your own interface.

There are TWO interfaces -- FA0/0 & Dialer0 // Dialer0 is the gateway FA0/0 is the Interface

OK

0.0.0.0 0.0.0.0 is the IP as well as the mask
So what do you want me to make the IP route statement ?

WHICH ip nat debug ?

Fangorn#debug ip nat ?
<1-99> Access list
cce NAT-CCE support events
detailed NAT detailed events
fragment NAT fragment events
generic NAT generic ALG handler events
h323 NAT H.323 events
ipsec NAT IPSec events
multipart NAT Multipart support events
nvi NVI events
piggyback NAT Piggyback support events
port NAT PORT events
pptp NAT PPTP events
route NAT Static route events
sbc NAT SIP Session Border Controller events
sip NAT SIP events
skinny NAT skinny events
vrf NAT VRF events
wlan-nat WLAN NAT events
<cr>
==============
Unless you are trying to tell me that NAT cannot have an access-list above 99 ??????
You can have named NAT access-lists using route-maps !

[Sinbad]

There are TWO interfaces -- FA0/0 & Dialer0 // Dialer0 is the gateway FA0/0 is the Interface

OK

0.0.0.0 0.0.0.0 is the IP as well as the mask
So what do you want me to make the IP route statement ?

take it out totally.

FA0/0 is your INTERNAL interface. Your ethernet interface. That must have an address in your private space - which it does.
Di0 is also an interface - it gets the public IP address, and establishes a point-to-point like with the PPP server at the other end.

[b@nD]

take it out totally.
FA0/0 is your INTERNAL interface. Your ethernet interface. That must have an address in your private space - which it does.
Di0 is also an interface - it gets the public IP address, and establishes a point-to-point like with the PPP server at the other end.

Let me belabour my point / observation
This from an ADSL router

Code:

Erebor#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

C    192.168.30.0/24 is directly connected, Vlan6
C    192.168.10.0/24 is directly connected, Vlan2
C    192.168.20.0/24 is directly connected, Vlan4
     41.0.0.0/32 is subnetted, 4 subnets
C       41.185.170.1 is directly connected, Dialer1
C       41.146.12.231 is directly connected, Dialer2
C       41.185.170.76 is directly connected, Dialer1
C       41.146.0.1 is directly connected, Dialer2
S*   0.0.0.0/0 is directly connected, Dialer1
               is directly connected, Dialer2
Erebor#

WHAT does this indicate ??????

C 41.185.170.1 is directly connected, Dialer1
C 41.146.12.231 is directly connected, Dialer2
C 41.185.170.76 is directly connected, Dialer1
C 41.146.0.1 is directly connected, Dialer2

WOULD you say that that was ONE or TWO public IP addresses ?

One the gateway is GIVEN by ppp ( in this case I assume the interface of the ISP equipment you are attaching to which is actually going to route you )
One you set ( the INSIDE interface ) which is natted to show here a public IP address

When I say TWO I am including the gateway address

So possibly I am being given an INTERFACE address by Bra Voda but NOT a WORKING router GATEWAY address ???

Either way without BOTH // NOTHING is going to happen !