Unrestricted APN Needed ?

[Sinbad]

Any ACLs at all applied to any interfaces?

[b@nD]

Any ACLs at all applied to any interfaces?

Only to let stuff in and to log

I made a bit of progress

This version of IOS uses a virtual NAT interface NVI0

Read here

http://blog.ine.com/2008/02/15/the-i...utside-of-nat/

So I changed the NAT statements on the interfaces accordingly.

Somehow NAT then managed to NAT my internal NetBios NBT ?

Code:

*Jul 23 20:35:12.488 SAST: NAT (UDP-DNS): After Translation
*Jul 23 20:35:12.488 SAST: NAT: Translation of UDP DNS src 192.168.40.26, dst 192.168.40.255
*Jul 23 20:35:12.488 SAST: NAT: Dns type of Query
*Jul 23 20:35:12.488 SAST:    : dns len=64, id=33723, aa=0, tc=0, rd=0, ra=0
*Jul 23 20:35:12.492 SAST:    : opcode=5, rcode=0, qdcount=1
*Jul 23 20:35:12.492 SAST:    : ancount=0, nscount=0, arcount=1
*Jul 23 20:35:12.492 SAST:      query name is <redacted>, qtype=32, class=1
*Jul 23 20:35:12.492 SAST: Answer section:
*Jul 23 20:35:12.492 SAST: Authority section:
*Jul 23 20:35:12.492 SAST: Additional record section:
*Jul 23 20:35:12.492 SAST:    Name=<redacted>
*Jul 23 20:35:12.492 SAST:    RR type=32, class=1, ttl=300000, data length=6
*Jul 23 20:35:12.492 SAST:      (Skipping unknown RR type)
*Jul 23 20:35:12.492 SAST: NAT: s=192.168.40.26->41.12.81.80, d=192.168.40.255 [54793]

It looks like it is doing a broadcast and looking for DNS via the internal netbios
Maybe because it cannot find a valid gateway to "outside"

Code:

Fangorn#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global

At least it has this now -- but UNPOPULATED !


This bit of log is interesting

Code:

Fangorn#
*Jul 23 19:34:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 196.207.35.36 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
*Jul 23 19:34:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 10.17.15.12 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
*Jul 23 19:34:47.192 SAST: %SEC-6-IPACCESSLOGP: list 140 permitted udp 196.207.35.29(0) (Dialer0 ) -> 41.12.81.80(0), 6 packets
*Jul 23 19:34:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 10.242.202.2 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
Fangorn#
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 196.43.23.218 (Dialer0 ) -> 41.12.81.80 (0/0), 3 packets
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 41.0.148.1 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 196.25.91.61 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 41.0.144.5 (Dialer0 ) -> 41.12.81.80 (0/0), 3 packets
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 196.207.35.244 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
Fangorn#

The ACL on Dialer0 IS letting stuff in // 41.12.81.80 is Dialer0's IP
( should really be the Gateway address "Inside Global" )
Weird stuff
Still no access from anything on the 192.168.40.0

This was meant to be a very easy and simple exercise

I still believe that until there is a valid public interface to NAT against and a valid public gateway next hop address NOTHING is going to happen !


IF I am not mad by the end of tonight I might be by tomorrow ( unless if the "unrestricted" APN arrives first )

[Sinbad]

Add an acl on dialer0 permitting your inside networks out.

[b@nD]

Thanks for your help Sinbad
Have a look at this -- from the console using the router

Code:

Type escape sequence to abort.
Tracing the route to saix.net (196.25.1.200)

  1 10.17.15.11 104 msec 80 msec 80 msec
  2 10.242.202.2 108 msec 304 msec 88 msec
  3 vc-196-207-35-36.3g.vodacom.co.za (196.207.35.36) 80 msec 76 msec 92 msec
  4 vc-196-207-35-244.3g.vodacom.co.za (196.207.35.244) 108 msec
*Jul 24 08:37:50.229 SAST: %SEC-6-IPACCESSLOGNP: list 1 denied 0 41.8.198.219 -> 196.207.35.30, 1 packet   100 msec 108 msec
  5 41.0.148.1 100 msec 76 msec 112 msec
  6 41.0.144.5 108 msec 88 msec 112 msec
  7 nngy-ip-esr-1-wan.telkom-ipnet.co.za (196.25.91.61) 308 msec 76 msec 92 msec
  8 wblv-ip-essr-1-atm-2-0-0-2.telkom-ipnet.co.za (196.43.11.30) 120 msec 108 msec 112 msec

41.8.198.219 -> 196.207.35.30, 1
Dialer0 --> Voda DNS


This is my access-list 1

access-list 1 remark Local Pool for NAT
access-list 1 permit 192.168.40.0 0.0.0.255 log
access-list 1 deny any log

( there is an implicit deny at the end of every ACL -- but now at least the log tells me something )

ip nat source list 1 interface Dialer0 overload


It looks to me as if 0.0.0.0 ( Dialer0 ) is being natted to 41.8.198.219 and then 41.8.198.219 is trying to be natted again ?

0.0.0.0 should resolve to an ESR gateway interface or at least natted to a routers gateway interface ?

Strange how quiet Bra Vodas engineers are ?

[Sinbad]

Thanks for your help Sinbad
Have a look at this -- from the console using the router

Code:

Type escape sequence to abort.
Tracing the route to saix.net (196.25.1.200)

  1 10.17.15.11 104 msec 80 msec 80 msec
  2 10.242.202.2 108 msec 304 msec 88 msec
  3 vc-196-207-35-36.3g.vodacom.co.za (196.207.35.36) 80 msec 76 msec 92 msec
  4 vc-196-207-35-244.3g.vodacom.co.za (196.207.35.244) 108 msec
*Jul 24 08:37:50.229 SAST: %SEC-6-IPACCESSLOGNP: list 1 denied 0 41.8.198.219 -> 196.207.35.30, 1 packet   100 msec 108 msec
  5 41.0.148.1 100 msec 76 msec 112 msec
  6 41.0.144.5 108 msec 88 msec 112 msec
  7 nngy-ip-esr-1-wan.telkom-ipnet.co.za (196.25.91.61) 308 msec 76 msec 92 msec
  8 wblv-ip-essr-1-atm-2-0-0-2.telkom-ipnet.co.za (196.43.11.30) 120 msec 108 msec 112 msec

41.8.198.219 -> 196.207.35.30, 1
Dialer0 --> Voda DNS


This is my access-list 1

access-list 1 remark Local Pool for NAT
access-list 1 permit 192.168.40.0 0.0.0.255 log
access-list 1 deny any log

( there is an implicit deny at the end of every ACL -- but now at least the log tells me something )

ip nat source list 1 interface Dialer0 overload


It looks to me as if 0.0.0.0 ( Dialer0 ) is being natted to 41.8.198.219 and then 41.8.198.219 is trying to be natted again ?

0.0.0.0 should resolve to an ESR gateway interface or at least natted to a routers gateway interface ?

Strange how quiet Bra Vodas engineers are ?

Add an acl to dialer0 outbound, allowing any to any - see if that helps.
Is acl 1 applied to your dialer0 interface at all?

[b@nD]

Add an acl to dialer0 outbound, allowing any to any - see if that helps.
Is acl 1 applied to your dialer0 interface at all?

There are NO ACL's applied to any interfaces
ACL 1 is purely for NAT

[b@nD]

Code:

*Jul 24 12:26:42.259 SAST: %CLEAR-5-COUNTERS: Clear counter on all interfaces by Root on console
*Jul 24 12:27:33.951 SAST: %SEC-6-IPACCESSLOGNP: list 2 permitted 0 192.168.40.46 -> 0.0.0.0, 1 packet
*Jul 24 12:27:36.139 SAST: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
*Jul 24 12:27:36.139 SAST: %DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di0
*Jul 24 12:27:36.223 SAST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up
*Jul 24 12:27:39.395 SAST: %SEC-6-IPACCESSLOGNP: list 2 permitted 0 192.168.40.46 -> 0.0.0.0, 1 packet
*Jul 24 12:32:54.595 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.9.233.208 -> 196.207.35.29, 1 packet
*Jul 24 12:33:08.203 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.46 -> 196.43.9.21, 2 packets
Fangorn#

OK
I made ACL 1 the dialer ACL ( to bring up traffic )
I made ACL 2 the NAT pool ACL ( what is going to be natted )

*Jul 24 12:27:33.951 SAST: %SEC-6-IPACCESSLOGNP: list 2 permitted 0 192.168.40.46 -> 0.0.0.0, 1 packet

192.168.40.46 should not go to 0.0.0.0 -- it should go to 192.168.40.1 ( PC gateway )
192.168.40.1 should be being natted to become the subnet gateway to the internet

This is the manual I am following which is pretty much exactly the same as the Cisco one

Cisco HWIC-3G-GSM Config

Nothing strange in it -- but it does not explain this scenario ( only "ip address negotiated" and ppp ipcp )

"internet" APN is expecting only a SINGLE unit / device -- ie single PC , laptop etc etc OR some sort of DHCP

Anyway that is my reading of it.

NO idea how the paste and glue four port specials work ????

(Perhaps you have to set your PC to DHCP ? )

[Sinbad]

[
"internet" APN is expecting only a SINGLE unit / device -- ie single PC , laptop etc etc OR some sort of DHCP

Do you understand how TCP/IP works? This comment suggests that you may have some misconceptions.

Devices behind a PAT router appear to the ISP as a single device. End of story.

[b@nD]

Do you understand how TCP/IP works? This comment suggests that you may have some misconceptions.
Devices behind a PAT router appear to the ISP as a single device. End of story.

YES -- taken
HOW can the GATEWAY as well as the devices have the SAME IP address ?????? ( even if it is NATTED )
HOW do they know how to get out of the router when 0.0.0.0 is natted to a device and not a gateway ?

WHY -- when I am using the exact template as given is nothing working ?

I am now going to take this sim and put it in my laptop and see what I get

I can assure you that there will be a SEPERATE IP for the gateway AND the device

[b@nD]

OK
So here is the info from a non-router device

Code:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ERIADOR
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Broadcom-Gig-LAN:

   Media State . . . . . . . . . . . : Media disconnected
   Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
   Physical Address. . . . . . . . . : 00-21-70-81-B9-D4

Ethernet adapter Dell-5530-HSPA:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter
   Physical Address. . . . . . . . . : 02-80-37-EC-02-00
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 41.8.228.44
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 41.8.228.42
   DHCP Server . . . . . . . . . . . : 41.8.228.41
   DNS Servers . . . . . . . . . . . : 196.207.35.29
                                       196.207.35.30
   NetBIOS over Tcpip. . . . . . . . : Disabled
   Lease Obtained. . . . . . . . . . : 24 July 2012 16:22:PM
   Lease Expires . . . . . . . . . . : 24 July 2012 16:27:PM

Ethernet adapter TOSHIBA-Blueooth:

   Media State . . . . . . . . . . . : Media disconnected
   Description . . . . . . . . . . . : Bluetooth Personal Area Network
   Physical Address. . . . . . . . . : 00-1A-6B-3E-A3-00



C:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10004 ...00 21 70 81 b9 d4 ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Mi
niport
0x10005 ...02 80 37 ec 02 00 ...... Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter
 - Packet Scheduler Miniport
0x10006 ...00 1a 6b 3e a3 00 ...... Bluetooth Personal Area Network - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      41.8.228.42      41.8.228.44     30
      41.8.228.40  255.255.255.248      41.8.228.44      41.8.228.44     30
      41.8.228.44  255.255.255.255        127.0.0.1        127.0.0.1     30
   41.255.255.255  255.255.255.255      41.8.228.44      41.8.228.44     30
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
        224.0.0.0        240.0.0.0      41.8.228.44      41.8.228.44     30
  255.255.255.255  255.255.255.255      41.8.228.44      41.8.228.44      1
  255.255.255.255  255.255.255.255      41.8.228.44            10006      1
  255.255.255.255  255.255.255.255      41.8.228.44            10004      1
Default Gateway:       41.8.228.42
===========================================================================

Code:

  IP Address. . . . . .... . .  . . . : 41.8.228.44
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway .. . . . . . . . : 41.8.228.42
   DHCP Server . . . . . . . . . . . : 41.8.228.41
   DNS Servers . . . . . . . . . . . : 196.207.35.29
                                       196.207.35.30

According to IPv4 CIDR blocks
The network mask is /29 ( same as 8ta ) = 8 hosts
The DHCP server is obviously NOT on my network
The DNS servers are the standard VC ones

I went and had a look at one of those "showmemyip" places and it was 41.8.228.44 NOT 41.8.228.42 !!!!!!

So PLEASE explain ?

[Sinbad]

OK
So here is the info from a non-router device

[code]
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : ERIADOR
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Broadcom-Gig-LAN:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-21-70-81-B9-D4

Ethernet adapter Dell-5530-HSPA:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter
Physical Address. . . . . . . . . : 02-80-37-EC-02-00
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 41.8.228.44
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 41.8.228.42
DHCP Server . . . . . . . . . . . : 41.8.228.41
DNS Servers . . . . . . . . . . . : 196.207.35.29
196.207.35.30
NetBIOS over Tcpip. . . . . . . . : Disabled
Lease Obtained. . . . . . . . . . : 24 July 2012 16:22:PM
Lease Expires . . . . . . . . . . : 24 July 2012 16:27:PM

Ethernet adapter TOSHIBA-Blueooth:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth Personal Area Network
Physical Address. . . . . . . . . : 00-1A-6B-3E-A3-00





I went and had a look at one of those "showmemyip" places and it was 41.8.228.44 NOT 41.8.228.42 !!!!!!

So PLEASE explain ?

Your device is .44... showmeIP thing is RIGHT.
Gateway is the ppp PEER.

[b@nD]

Your device is .44... showmeIP thing is RIGHT.
Gateway is the ppp PEER.

OK
Thanks for all your help
After some reading and head scratching I have something WORKING
On another network

But it could all work the same

Except the "other-network" is cheaper

When it has all been checked -- five stars to the person that guesses the solution.
( I am sure you knew it all along and were just keeping quiet so I could figure it out myself )

Aanhouer WEN !

[b@nD]

Fairly certain this guy is trolling,nobody could be this blindly oblivious

OK
So oh great guru -- maybe I am oblivious and not the sharpest pencil in the box
Everything is easy after you have done it a couple of times

PLEASE do tell us WHAT was so blindingly obvious ?

( Now that I have it working )

[b@nD]

Seeing as our Voda-Jannie has chosen not to recieve any PM's I am posting this here ( for attention of the mods as well please )


Hi Jannie ,

"Unrestricted APN Needed ? "

Seems I need to eat my hasty words

I will post a public apology [which I am doing now] in my final post where I explain the working config

I was wondering if it was possible to ask the mods to delete all the five pages of boring nonsense except for the first post and the final one ( which I will post later )

Or otherwise delete the whole thing and I will re-create it -- the actual helpful part ( without the hasty incorrect comments )

[nic777]

How about lets keep the thread exactly as is as someone could have the same "problem"?

Also, you can't post PMs so best you delete previous post

Seeing as our Voda-Jannie has chosen not to recieve any PM's I am posting this here ( for attention of the mods as well please )


Hi Jannie ,

"Unrestricted APN Needed ? "

Seems I need to eat my hasty words

I will post a public apology [which I am doing now] in my final post where I explain the working config

I was wondering if it was possible to ask the mods to delete all the five pages of boring nonsense except for the first post and the final one ( which I will post later )

Or otherwise delete the whole thing and I will re-create it -- the actual helpful part ( without the hasty incorrect comments )