Special projects are usually short bus special, not "very special episode of Blossom" special. Over the last two days, we were living the short bus variety....
We got a call that SECDEF was coming and a bunch of media were coming with him. Reporters need "dirty Internet" to move their video and other sundry junk. We have a dirty Internet connection on base for the Public Affairs Officer (PAO) who also has to move video and junk. So.........
Now this single computer connection needs to get spread out to over a dozen news agencies in a tiny room located over 100 ft from the satellite dish and modem. Back in the US, you'd just buy a wireless router and run with it. Not so much here.
First off, we don't have a government credit card to buy stuff because we don't have a Title 10 (Defense) budget -- we only have a Title 22 (Dept of State) budget since we do the training, equipping, advising, and mentoring of Afghanistan, not the kinetic mission with NATO. So we can't go to the PX and buy a wireless router. We have some really old routers and switches that we use for emergencies, but what can those old IOS's do? Since we don't usually NAT (network address translation) in the military, who knows how to configure the router to do it? (All the NAT'ing I've ever seen has been through a firewall vice a router -- no spare Raptor firewall appliance laying around).
TECHIE ALERT: the fol discussion will be interesting to the geeks in the group, everybody else can just accept that the press has Internet, and it was very painful to get them to it. Non-geeks can feel more than comfortable not reading any further)
We confgured a Cisco 3650 switch with only a default VLAN and no layer 3 functions (dumb switch.
We had a 3U high Cisco 2600 (that's right, not even the 1U version that came out in 2004) router.
We set up DHCP on the router. I'm used to setting up a scope in Linux or on Windows 2000, but this was a little different. I could not exclusively set up a range, I had to define a subnet range, then exclude vital addresses from the scope like the identity (192.168.13.0) and the gateway (192.168.13.1). We limited the scope to half a class C (255.255.255.128). That went okay once I realized that you have to issue conf t -- service dhcp to start the damn thing.
Next up we moved to NAT. That is where life got ugly. (I'm not a fan of NAT since it limits your network management in a lot of scenarios, but I digress).
We downloaded the Cisco guidance on NAT. Really good general guidance, but the wording is REALLY subtle about some key issues.
1) Your NAT Pool is a set of global addresses, not local.
2) Your access list is a set of local addresses, but don't use the "any" option, no translation table will generate if you do, but the IOS WILL let you make that mistake.
3) if you uber-focus on NAT, you will likely forget to create a default-gateway
4) even after you create a default-gateway, NAT is ignoring it. You must make a manual (and ip-classless) 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx entry for NAT to build its translation table.
Okay, so all that evil is over. From the console port on the router, you can ping www.google.com. Yay! You finally have Internet access on your router. Let's check the laptop. No joy. The laptop can't even ping your modem. That's bad.
Spend six hours reading every Cisco NAT article ever written (routergeek.com simply ROCKS!) That guide taught us some valuable little details:
Static NAT is easy.
Dynamic one-to-one NAT is easy.
Dynamic one-to-many NAT is not so easy.
If you have many global IPs, make a NAT pool like in the Cisco article. If you don't ignore the Cisco guidance.
If you have TWO gloabl IPS, make a NATO pool of ONE IP. It looks pretty stupid when you configure it, but it can work.
If, like in most situations, you have one IP and one IP only, then DO NOT MAKE A NAT POOL. DO NOT ASSIGN YOUR ONLY GLOBAL IP TO THE NAT STATEMENT.
You give your global IP address to your outside interface. You then write your NAT statement to use the outside interface.
Okay, even then, we weren't working. No NAT Translation table being generated. NAT debug gave us an error only addressed in the CCIE manual. Yep, not the CCNA, CCNP, CCDP, or CCDA manuals, the CCIE manual. That's WAY over my head.
So, getting tired and frustrated, we enlisted the NOC's help. They did the same stuff I did for a long while. Then we collectively decided to build a static NAT to see if I f'd up the NATing or the routing. BOOM! The NAT table populated. NAT debug gave us tons of positive info. WFT?
We rebuilt the access list to include a whole class C vice just half the class C. BOOM! the NAT kept working.
Here's what I did wrong: for my access-list statement, I used the wildcard filter of 0.0.0.128. Looks nice, but if you do the math, it should have been 0.0.0.127 b/c the filter is a ones-complement 255-128. My bad.
It all works now. We lost power twice after gettign the thing to work due to the PAO's camera lights blowing fuses. Each time before I could reload the config to NVRAM, so we got to rebuild the damn changes two more times.
Lot's of fun, below is the config file for your personal amusement....
Cheers,
Jody
PAO-Router#sh run
Building configuration...
Building configuration...
Current configuration : 1377 bytes
!
! Standard stuff that came up after the mgr wiz
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PAO-Router
!
boot-start-marker
boot-end-marker
!
! Yes, I know the pw is in the open. It's going away
!
enable secret 5 $1$Vtb4$Kb2vYuvJ9Kud22YI/PBME.
enable password root
!
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
ip cef
!
! Set up DHCP services
! Pass gateway, one DNS (can't seem to enter another)
!
ip dhcp excluded-address 192.168.13.0 192.168.13.1
!
ip dhcp pool PAO-DHCP-POOL
network 192.168.13.0 255.255.255.0
default-router 192.168.13.1
dns-server 203.196.128.48
!
! Name server for the router, not to pass to DHCP
! I don't know what the ip ips.. is - more standard stuff
!
ip name-server 58.147.128.7
ip name-server 203.196.128.48
ip ips po max-events 100
! don't allow ftp
no ftp-server write-enable
!
! Outside interface to satellite modem
! IP taken from PAO computer
!
interface FastEthernet0/0
ip address 58.147.150.178 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
! Inside interface to switch
!
interface FastEthernet0/1
ip address 192.168.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
half-duplex
no mop enabled
!
! I know, you expect a default-gateway statement here
! I tried it, it didn't work
!
ip classless
ip route 0.0.0.0 0.0.0.0 58.147.150.177
!
! web servers turned off for security
! Yes, telnet is still on
!
no ip http server
no ip http secure-server
!
!
! Since we have only one global IP, we designate fa0/0 as the global ip
! vice having an IP pool - THIS IS A KEY POINT TO REMEMBER
! Also, I know that "overload" is implied in the statement, but it
! is explicity written here for clarity
!
ip nat inside source list 13 interface FastEthernet0/0 overload
!
!This is the access list that cuased all the problems
! notice 0.0.0.127 vice 0.0.0.128
!
access-list 13 permit 192.168.13.0 0.0.0.127
!
!control-plane
!
line con 0
line aux 0
line vty 0 4
password toor
login
!
end
!
! Standard stuff that came up after the mgr wiz
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PAO-Router
!
boot-start-marker
boot-end-marker
!
! Yes, I know the pw is in the open. It's going away
!
enable secret 5 $1$Vtb4$Kb2vYuvJ9Kud22YI/PBME.
enable password root
!
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
ip cef
!
! Set up DHCP services
! Pass gateway, one DNS (can't seem to enter another)
!
ip dhcp excluded-address 192.168.13.0 192.168.13.1
!
ip dhcp pool PAO-DHCP-POOL
network 192.168.13.0 255.255.255.0
default-router 192.168.13.1
dns-server 203.196.128.48
!
! Name server for the router, not to pass to DHCP
! I don't know what the ip ips.. is - more standard stuff
!
ip name-server 58.147.128.7
ip name-server 203.196.128.48
ip ips po max-events 100
! don't allow ftp
no ftp-server write-enable
!
! Outside interface to satellite modem
! IP taken from PAO computer
!
interface FastEthernet0/0
ip address 58.147.150.178 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
! Inside interface to switch
!
interface FastEthernet0/1
ip address 192.168.13.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
half-duplex
no mop enabled
!
! I know, you expect a default-gateway statement here
! I tried it, it didn't work
!
ip classless
ip route 0.0.0.0 0.0.0.0 58.147.150.177
!
! web servers turned off for security
! Yes, telnet is still on
!
no ip http server
no ip http secure-server
!
!
! Since we have only one global IP, we designate fa0/0 as the global ip
! vice having an IP pool - THIS IS A KEY POINT TO REMEMBER
! Also, I know that "overload" is implied in the statement, but it
! is explicity written here for clarity
!
ip nat inside source list 13 interface FastEthernet0/0 overload
!
!This is the access list that cuased all the problems
! notice 0.0.0.127 vice 0.0.0.128
!
access-list 13 permit 192.168.13.0 0.0.0.127
!
!control-plane
!
line con 0
line aux 0
line vty 0 4
password toor
login
!
end
--
"...wrap your arms around your body armor, give it a big embrace, and LEARN TO LOVE THE SUCK!"
-- Sergeant First Class Jenkins, 13 JUL 08
