-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: Do you bet on sports?
Unrestricted APN Needed ?
- Thread starter b@nD
- Start date
Confusing
I made a bit of progress
This version of IOS uses a virtual NAT interface NVI0
Read here
http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/
So I changed the NAT statements on the interfaces accordingly.
Somehow NAT then managed to NAT my internal NetBios NBT ?
It looks like it is doing a broadcast and looking for DNS via the internal netbios
Maybe because it cannot find a valid gateway to "outside"
At least it has this now -- but UNPOPULATED !
This bit of log is interesting
The ACL on Dialer0 IS letting stuff in // 41.12.81.80 is Dialer0's IP
( should really be the Gateway address "Inside Global" )
Weird stuff
Still no access from anything on the 192.168.40.0
This was meant to be a very easy and simple exercise
I still believe that until there is a valid public interface to NAT against and a valid public gateway next hop address NOTHING is going to happen !
IF I am not mad by the end of tonight I might be by tomorrow
( unless if the "unrestricted" APN arrives first )
Only to let stuff in and to log
I made a bit of progress
This version of IOS uses a virtual NAT interface NVI0
Read here
http://blog.ine.com/2008/02/15/the-inside-and-outside-of-nat/
So I changed the NAT statements on the interfaces accordingly.
Somehow NAT then managed to NAT my internal NetBios NBT ?
Code:
*Jul 23 20:35:12.488 SAST: NAT (UDP-DNS): After Translation
*Jul 23 20:35:12.488 SAST: NAT: Translation of UDP DNS src 192.168.40.26, dst 192.168.40.255
*Jul 23 20:35:12.488 SAST: NAT: Dns type of Query
*Jul 23 20:35:12.488 SAST: : dns len=64, id=33723, aa=0, tc=0, rd=0, ra=0
*Jul 23 20:35:12.492 SAST: : opcode=5, rcode=0, qdcount=1
*Jul 23 20:35:12.492 SAST: : ancount=0, nscount=0, arcount=1
*Jul 23 20:35:12.492 SAST: query name is <redacted>, qtype=32, class=1
*Jul 23 20:35:12.492 SAST: Answer section:
*Jul 23 20:35:12.492 SAST: Authority section:
*Jul 23 20:35:12.492 SAST: Additional record section:
*Jul 23 20:35:12.492 SAST: Name=<redacted>
*Jul 23 20:35:12.492 SAST: RR type=32, class=1, ttl=300000, data length=6
*Jul 23 20:35:12.492 SAST: (Skipping unknown RR type)
*Jul 23 20:35:12.492 SAST: NAT: s=192.168.40.26->41.12.81.80, d=192.168.40.255 [54793]It looks like it is doing a broadcast and looking for DNS via the internal netbios
Maybe because it cannot find a valid gateway to "outside"
Code:
Fangorn#sh ip nat translations
Pro Inside global Inside local Outside local Outside globalAt least it has this now -- but UNPOPULATED !
This bit of log is interesting
Code:
Fangorn#
*Jul 23 19:34:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 196.207.35.36 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
*Jul 23 19:34:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 10.17.15.12 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
*Jul 23 19:34:47.192 SAST: %SEC-6-IPACCESSLOGP: list 140 permitted udp 196.207.35.29(0) (Dialer0 ) -> 41.12.81.80(0), 6 packets
*Jul 23 19:34:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 10.242.202.2 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
Fangorn#
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 196.43.23.218 (Dialer0 ) -> 41.12.81.80 (0/0), 3 packets
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 41.0.148.1 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 196.25.91.61 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 41.0.144.5 (Dialer0 ) -> 41.12.81.80 (0/0), 3 packets
*Jul 23 19:35:47.192 SAST: %SEC-6-IPACCESSLOGDP: list 140 permitted icmp 196.207.35.244 (Dialer0 ) -> 41.12.81.80 (0/0), 2 packets
Fangorn#The ACL on Dialer0 IS letting stuff in // 41.12.81.80 is Dialer0's IP
( should really be the Gateway address "Inside Global" )
Weird stuff
Still no access from anything on the 192.168.40.0
This was meant to be a very easy and simple exercise
I still believe that until there is a valid public interface to NAT against and a valid public gateway next hop address NOTHING is going to happen !
IF I am not mad by the end of tonight I might be by tomorrow
( unless if the "unrestricted" APN arrives first )
Last edited:
Clarity ?
Thanks for your help Sinbad
Have a look at this -- from the console using the router
41.8.198.219 -> 196.207.35.30, 1
Dialer0 --> Voda DNS
This is my access-list 1
access-list 1 remark Local Pool for NAT
access-list 1 permit 192.168.40.0 0.0.0.255 log
access-list 1 deny any log
( there is an implicit deny at the end of every ACL -- but now at least the log tells me something )
ip nat source list 1 interface Dialer0 overload
It looks to me as if 0.0.0.0 ( Dialer0 ) is being natted to 41.8.198.219 and then 41.8.198.219 is trying to be natted again ?
0.0.0.0 should resolve to an ESR gateway interface or at least natted to a routers gateway interface ?
Strange how quiet Bra Vodas engineers are ?
Thanks for your help Sinbad
Have a look at this -- from the console using the router
Code:
Type escape sequence to abort.
Tracing the route to saix.net (196.25.1.200)
1 10.17.15.11 104 msec 80 msec 80 msec
2 10.242.202.2 108 msec 304 msec 88 msec
3 vc-196-207-35-36.3g.vodacom.co.za (196.207.35.36) 80 msec 76 msec 92 msec
4 vc-196-207-35-244.3g.vodacom.co.za (196.207.35.244) 108 msec
[B]*Jul 24 08:37:50.229 SAST: %SEC-6-IPACCESSLOGNP: list 1 denied 0 41.8.198.219 -> 196.207.35.30, 1 packet 100 msec 108 msec[/B]
5 41.0.148.1 100 msec 76 msec 112 msec
6 41.0.144.5 108 msec 88 msec 112 msec
7 nngy-ip-esr-1-wan.telkom-ipnet.co.za (196.25.91.61) 308 msec 76 msec 92 msec
8 wblv-ip-essr-1-atm-2-0-0-2.telkom-ipnet.co.za (196.43.11.30) 120 msec 108 msec 112 msec41.8.198.219 -> 196.207.35.30, 1
Dialer0 --> Voda DNS
This is my access-list 1
access-list 1 remark Local Pool for NAT
access-list 1 permit 192.168.40.0 0.0.0.255 log
access-list 1 deny any log
( there is an implicit deny at the end of every ACL -- but now at least the log tells me something )
ip nat source list 1 interface Dialer0 overload
It looks to me as if 0.0.0.0 ( Dialer0 ) is being natted to 41.8.198.219 and then 41.8.198.219 is trying to be natted again ?
0.0.0.0 should resolve to an ESR gateway interface or at least natted to a routers gateway interface ?
Strange how quiet Bra Vodas engineers are ?
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,658
- Reaction score
- 41,180
Add an acl to dialer0 outbound, allowing any to any - see if that helps.
Is acl 1 applied to your dialer0 interface at all?
Strange
OK
I made ACL 1 the dialer ACL ( to bring up traffic )
I made ACL 2 the NAT pool ACL ( what is going to be natted )
*Jul 24 12:27:33.951 SAST: %SEC-6-IPACCESSLOGNP: list 2 permitted 0 192.168.40.46 -> 0.0.0.0, 1 packet
192.168.40.46 should not go to 0.0.0.0 -- it should go to 192.168.40.1 ( PC gateway )
192.168.40.1 should be being natted to become the subnet gateway to the internet
This is the manual I am following which is pretty much exactly the same as the Cisco one
Cisco HWIC-3G-GSM Config
Nothing strange in it -- but it does not explain this scenario ( only "ip address negotiated" and ppp ipcp )
"internet" APN is expecting only a SINGLE unit / device -- ie single PC , laptop etc etc OR some sort of DHCP
Anyway that is my reading of it.
NO idea how the paste and glue four port specials work ????
(Perhaps you have to set your PC to DHCP ? )
Code:
*Jul 24 12:26:42.259 SAST: %CLEAR-5-COUNTERS: Clear counter on all interfaces by Root on console
*Jul 24 12:27:33.951 SAST: %SEC-6-IPACCESSLOGNP: list 2 permitted 0 192.168.40.46 -> 0.0.0.0, 1 packet
*Jul 24 12:27:36.139 SAST: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
*Jul 24 12:27:36.139 SAST: %DIALER-6-BIND: Interface Ce0/0/0 bound to profile Di0
*Jul 24 12:27:36.223 SAST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/0/0, changed state to up
*Jul 24 12:27:39.395 SAST: %SEC-6-IPACCESSLOGNP: list 2 permitted 0 192.168.40.46 -> 0.0.0.0, 1 packet
*Jul 24 12:32:54.595 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 41.9.233.208 -> 196.207.35.29, 1 packet
*Jul 24 12:33:08.203 SAST: %SEC-6-IPACCESSLOGNP: list 1 permitted 0 192.168.40.46 -> 196.43.9.21, 2 packets
Fangorn#I made ACL 1 the dialer ACL ( to bring up traffic )
I made ACL 2 the NAT pool ACL ( what is going to be natted )
*Jul 24 12:27:33.951 SAST: %SEC-6-IPACCESSLOGNP: list 2 permitted 0 192.168.40.46 -> 0.0.0.0, 1 packet
192.168.40.46 should not go to 0.0.0.0 -- it should go to 192.168.40.1 ( PC gateway )
192.168.40.1 should be being natted to become the subnet gateway to the internet
This is the manual I am following which is pretty much exactly the same as the Cisco one
Cisco HWIC-3G-GSM Config
Nothing strange in it -- but it does not explain this scenario ( only "ip address negotiated" and ppp ipcp )
"internet" APN is expecting only a SINGLE unit / device -- ie single PC , laptop etc etc OR some sort of DHCP
Anyway that is my reading of it.
NO idea how the paste and glue four port specials work ????
(Perhaps you have to set your PC to DHCP ? )
Last edited:
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,658
- Reaction score
- 41,180
Do you understand how TCP/IP works? This comment suggests that you may have some misconceptions.
Devices behind a PAT router appear to the ISP as a single device. End of story.
Misconceptions !
HOW can the GATEWAY as well as the devices have the SAME IP address ?????? ( even if it is NATTED )
HOW do they know how to get out of the router when 0.0.0.0 is natted to a device and not a gateway ?
WHY -- when I am using the exact template as given is nothing working ?
I am now going to take this sim and put it in my laptop and see what I get
I can assure you that there will be a SEPERATE IP for the gateway AND the device
YES -- taken
HOW can the GATEWAY as well as the devices have the SAME IP address ?????? ( even if it is NATTED )
HOW do they know how to get out of the router when 0.0.0.0 is natted to a device and not a gateway ?
WHY -- when I am using the exact template as given is nothing working ?
I am now going to take this sim and put it in my laptop and see what I get
I can assure you that there will be a SEPERATE IP for the gateway AND the device
What does this tell you ?
OK
So here is the info from a non-router device
According to IPv4 CIDR blocks
The network mask is /29 ( same as 8ta ) = 8 hosts
The DHCP server is obviously NOT on my network
The DNS servers are the standard VC ones
I went and had a look at one of those "showmemyip" places and it was 41.8.228.44 NOT 41.8.228.42 !!!!!!
So PLEASE explain ?
OK
So here is the info from a non-router device
Code:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ERIADOR
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Broadcom-Gig-LAN:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-21-70-81-B9-D4
Ethernet adapter Dell-5530-HSPA:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter
Physical Address. . . . . . . . . : 02-80-37-EC-02-00
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 41.8.228.44
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 41.8.228.42
DHCP Server . . . . . . . . . . . : 41.8.228.41
DNS Servers . . . . . . . . . . . : 196.207.35.29
196.207.35.30
NetBIOS over Tcpip. . . . . . . . : Disabled
Lease Obtained. . . . . . . . . . : 24 July 2012 16:22:PM
Lease Expires . . . . . . . . . . : 24 July 2012 16:27:PM
Ethernet adapter TOSHIBA-Blueooth:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Bluetooth Personal Area Network
Physical Address. . . . . . . . . : 00-1A-6B-3E-A3-00
C:\>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10004 ...00 21 70 81 b9 d4 ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Mi
niport
0x10005 ...02 80 37 ec 02 00 ...... Dell Wireless 5530 HSPA Mobile Broadband Minicard NetworkAdapter
- Packet Scheduler Miniport
0x10006 ...00 1a 6b 3e a3 00 ...... Bluetooth Personal Area Network - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 41.8.228.42 41.8.228.44 30
41.8.228.40 255.255.255.248 41.8.228.44 41.8.228.44 30
41.8.228.44 255.255.255.255 127.0.0.1 127.0.0.1 30
41.255.255.255 255.255.255.255 41.8.228.44 41.8.228.44 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 41.8.228.44 41.8.228.44 30
255.255.255.255 255.255.255.255 41.8.228.44 41.8.228.44 1
255.255.255.255 255.255.255.255 41.8.228.44 10006 1
255.255.255.255 255.255.255.255 41.8.228.44 10004 1
Default Gateway: 41.8.228.42
===========================================================================
Code:
[I][color=blue]
IP Address. . . . . .... . . . . . : 41.8.228.44
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway .. . . . . . . . : 41.8.228.42
DHCP Server . . . . . . . . . . . : 41.8.228.41
DNS Servers . . . . . . . . . . . : 196.207.35.29
196.207.35.30
[/I][/color]The network mask is /29 ( same as 8ta ) = 8 hosts
The DHCP server is obviously NOT on my network
The DNS servers are the standard VC ones
I went and had a look at one of those "showmemyip" places and it was 41.8.228.44 NOT 41.8.228.42 !!!!!!
So PLEASE explain ?
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,658
- Reaction score
- 41,180
Happy days are here again .........
Thanks for all your help
After some reading and head scratching I have something WORKING
On another network
But it could all work the same
Except the "other-network" is cheaper :erm:
When it has all been checked -- five stars to the person that guesses the solution.
( I am sure you knew it all along and were just keeping quiet so I could figure it out myself
)
Aanhouer WEN !
OK
Thanks for all your help
After some reading and head scratching I have something WORKING
On another network
But it could all work the same
Except the "other-network" is cheaper :erm:
When it has all been checked -- five stars to the person that guesses the solution.
( I am sure you knew it all along and were just keeping quiet so I could figure it out myself
)Aanhouer WEN !
Easy Peasy
So oh great guru -- maybe I am oblivious and not the sharpest pencil in the box
Everything is easy after you have done it a couple of times
PLEASE do tell us WHAT was so blindingly obvious ?
( Now that I have it working )
OK
So oh great guru -- maybe I am oblivious and not the sharpest pencil in the box
Everything is easy after you have done it a couple of times
PLEASE do tell us WHAT was so blindingly obvious ?
( Now that I have it working )
Wimpie Special
Seeing as our Voda-Jannie has chosen not to recieve any PM's I am posting this here ( for attention of the mods as well please )
Hi Jannie ,
"Unrestricted APN Needed ? "
Seems I need to eat my hasty words
I will post a public apology [which I am doing now] in my final post where I explain the working config
I was wondering if it was possible to ask the mods to delete all the five pages of boring nonsense except for the first post and the final one ( which I will post later )
Or otherwise delete the whole thing and I will re-create it -- the actual helpful part ( without the hasty incorrect comments )
Seeing as our Voda-Jannie has chosen not to recieve any PM's I am posting this here ( for attention of the mods as well please )
Hi Jannie ,
"Unrestricted APN Needed ? "
Seems I need to eat my hasty words
I will post a public apology [which I am doing now] in my final post where I explain the working config
I was wondering if it was possible to ask the mods to delete all the five pages of boring nonsense except for the first post and the final one ( which I will post later )
Or otherwise delete the whole thing and I will re-create it -- the actual helpful part ( without the hasty incorrect comments )
nic777
Expert Member
How about lets keep the thread exactly as is as someone could have the same "problem"?
Also, you can't post PMs so best you delete previous post
Also, you can't post PMs so best you delete previous post
Seeing as our Voda-Jannie has chosen not to recieve any PM's I am posting this here ( for attention of the mods as well please )
Hi Jannie ,
"Unrestricted APN Needed ? "
Seems I need to eat my hasty words
I will post a public apology [which I am doing now] in my final post where I explain the working config
I was wondering if it was possible to ask the mods to delete all the five pages of boring nonsense except for the first post and the final one ( which I will post later )
Or otherwise delete the whole thing and I will re-create it -- the actual helpful part ( without the hasty incorrect comments )
Rocket-Boy
Honorary Master
What amazes me the most out of all of this is how Sinbad still tried to help you after you were so rude to him. I need to find that nomination thread for helpful forumites again to nominate him.
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,658
- Reaction score
- 41,180
Rocket-Boy
Honorary Master
It wasn't so much that I wanted to help him, I wanted to solve the challenge
Yeah I know what that is like!
Still I have to applaud you for taking the abuse without saying any of the things I would have.
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,658
- Reaction score
- 41,180