hello guys welcome back my name is david
and today we are going to troubleshoot
simple cisco network so what i mean is i
have one com one computer and one router
this router was configured to pass the
traffic to translate this traffic into a
public ip so the computer can surf the
internet now what i did i broke the
configuration in several places and we
are going to start from beginning to the
end we'll find all the problems and try
to fix that stay with me
okay let's start this is my computer
this comes supposed to have the ip
address and dns iprs right and the
gateway of course then traffic comes
here on the cisco router and then from
the router it goes to the internet
but here
we need to do net right network address
translations so let's start and find all
the problems i caused in the
configuration
so in order for the traffic to leave the
computer computer is supposed to have
the ipad so let's make sure the computer
has the ip address
and when we say let's make sure computer
has the ip address
let's test the actual status of the ip
address not the configuration and what i
mean by that is
you can go into a configuration and make
sure the configuration is there by
clicking this button
but that's not the way i want you to
test it i want to test it
the actual status of the configuration
that means you can either click here
details
or in the cli
now what's the difference you must say
the difference is that sometimes when
you configure the ip address windows is
not taking this ip address for some
reason
there can be many many reasons but the
configuration doesn't always work so
when you check the configuration on the
ip address it's not necessary the
computer is using that ipr so what we
want to do we want to check the actual
status of this configuration okay so
let's see what we have we have the ip
address here as you can see
and we have the gateway so we know the
ip address is there and probably the
ipaddress works we can ping the ip
address itself
and
yes well ipstac tcp stack works on the
computer that's good so now let's test
the gateway make sure the gateway works
here's the gateway
and we want to ping that gateway to make
sure the gateway is on the network
now you might already see that gateway
is that one on the topology so the
gateway is wrong but let's try and ping
it
ping 192 168.1.254
and the gateway is not pingable and how
do let's say we don't know the if the
gateway is correct or not
or we know the gateway is correct but we
are not sure why we don't ping it ping
could could be closed nobody close icmp
on the gateway but let's say it's closed
you want to make sure the gateway is on
the network and for that we can check
the r and let's go ahead on the windows
machine type r
iphone a
and this will show you arp cache and you
know the ip address mapped to the macro
so let's see if we have 254 here in the
arc cache and we don't have it
but we have that one
and let's try and think it dot one
it's not pingable that's weird but well
at least we know it's that one but let's
go ahead and change that one
you know what we have the cisco router
and we have the interface g3 w3 and
let's see what's the ipad address on the
interface
show
run not sure our show interface
address
and as you can see this is the ip
address
of the cisco router so yes the computer
is supposed to have that one as a
gateway not 254
so let's go ahead and fix that on the
computer we are just one step
closer to the fixing the problem
and let's do one
now
remember that one wasn't pingable from
the computer
and we want to find out why we cannot
ping it should we pingable should it not
and let's go ahead and check if there is
any access list on the cisco router
on the inside interface show run
inside interface gear v3 and pipe in for
the inboard and sure there is an access
list and let's check what's inside
okay we have permit ip192.168.3
okay
and slash24
so the access list is not permitting our
traffic coming from the computer because
remember our ip address our subnet on
the computer is
192.168.1
not three but one on the third octa and
access list on the cisco hour is not
having this dot
one so let's go ahead and fix that
we need to go into access list
extend it
inside by inbound and you know we know
for sure that they're not there's not
supposed to be the three
network on this lan right so it's okay
to remove this ip address and fix that
node 20 and then permit ip192.168.1.0
and
any okay
now it looks great
let's see if we can ping the router
okay we can ping the router
great now let's check do we have the
internet
and no we don't okay
let's see
what else we are missing here do we have
the route
now actually let's make sure the cisco
hour has the internet ping
made updated
doesn't have the internet let's fix that
so what do you need on the router to
have the internet you need the ip
address you need the next hope which is
that one and you need connection between
isp and the router
let's check what is the interface on the
gear with one
and what is the ip address here
okay
that's great now what's the gateway show
ip route
and our gateway is that three but
remember
our isp has that one not that three so
let's go ahead and fix that too
here's my route which i need to remove
and add the new one
now remember if you just add the route
you'll have two routes it's not gonna
replace even though it has the same
destination it's not going to replace so
you want to remove the old route and add
the new one
okay now we have the route and the
routing table proper now let's see if we
can ping the google
ping
from the cisco hour
okay
cisco router has the internet now let's
come back on the computer and just see
if computers also has the internet
well no computer doesn't have the
internet okay
let's think what do we need to do what
do we need to have on the cisco router
to allow the internet to access uh from
the computer
so the computer can serve the internet
sites websites okay so first
the computer has the private ipads you
see and the cisco router external
interface is the public ip address so we
want to translate our private ips subnet
into a public iprs of the router and for
that we need to do the net
and let's make sure we have the nut
translations on the cisco router so
let's go ahead and try ping
actually that's not
let's ping and come back here and see
if we have no translations
and we have some not translations
which is not our google ip addresses so
let's clear up
our ip not translations
dynamic i believe here
no just just everything
okay show ipmap translations
we don't have new translations that
means cisco router is not translating
our traffic from private subnet into
public ip
and let's troubleshoot that we need to
have the configuration for that right so
let's let's go ahead and do this show
run defensive gear three and does it
have the net configuration on the gearb3
it does and it has not ip not inside
that's great now
inside interface is supposed to have ip
not inside the outside default though
supposed to have ip nut outside let's
check that
oh outside the face doesn't have ip not
outside at all so let's go ahead and
configure that
ipnot outside
and now
we fixed not well at least partially on
the cisco router now we know that the
inside the face and outside the face
they both have not configuration on them
let's go ahead and check ipnot
translation again
all right we have some traffic here
this is our ip address
right right
and
this is what we are trying to ping
and this is the icmp protocol and this
is the ip address we are translated into
so if we check this ip address on
interface that's our ip address we know
that cisco router translates the packet
into public ip
now what we need to do is we know
traffic comes here on the router is
translated and we need to make sure
traffic can leave the interface now how
do we check that
well
usually if you have the route and there
is no restriction on the interface
traffic leaves the interface so let's go
ahead and check that do we have any
access list
we don't
but do we want to put the access list to
make sure traffic leaves the interface
you know you can use probably packet
capture if you know how to do that but
if not what you can do is do a quick
configuration show ip access list
extended for example
and match our traffic in our case
let's say outside
isp is going to be no i thought
outside
that's the access list name and permit
our traffic what is our traffic ip host
192 168.1.10
into
google dns
and we want it to be icmp but ip will
work for as well but let's do icmp only
and
now
we want to assign this access list on
the public interface but remember
right now the interface doesn't have the
access which means once you assign this
access list you'll permit only the
things you have in the access list and
in our case that's only icmp packet
coming from our computer going to the
google but for the rest of the users
we're gonna break the internet well if
they have already so what we want to do
is to add permit any any at the end of
the access list
which means if we assign this access
list on the outbound interface
for the outbound traffic
we'll get the match here
and hit count will increase if the
packet leaves the router and for the
rest of the traffic to not block them
here's the permit ip and then so let's
go ahead and do in gigabit estimate
one
ip access group
outside outbound and
outbound packets so we want to do out
and
now now you see there is a match
on ipm en
probably some kind of you know uh
different traffic coming from the
computer checking the updates or
something like that but our traffic
doesn't have the match let's generate
the traffic on the computer
this is our traffic
one
two
okay
and now let's check if we have the match
on the access list
we don't
but that's weird
isn't our ap address
oh oh i'm sorry guys
this ridiculous remember we translated
traffic into public ip so there's no way
to match the 192.168.1.10
on the aggress interface so if we want
to do something else
let's go ahead and you know fix that
we want to remove
line 10 and add the new new line ip
icmp
host
what's the our public ip address of the
router it is 100
that 100 i believe this is the ip
address
and then we are going to ping google dns
here's the axle list now
now we need to
renumber this because it's incorrectly
we want to have permit any at the end so
remove 20 permit any any
and now it's correct okay now let's ping
and let's see
if packet leaves the
router
we still don't have the match
on the interface okay here's the match i
was like what's going on
so we have match
and that confirms two things
not two actually several
we have the working gateway for the
cisco router so traffic can leave the
interface
now because the match is for the public
ip address we also know that the traffic
is being translated so even if you
didn't check the iphone translation this
confirms that there was a translation
and the private ipad is translated into
public ipads and the third
packet leaves the router
okay
now
that's good it leaves the router is it
coming back
no
it might be coming back or it it's my
not coming back depends on the problems
on the internet
so since this video about the
troubleshooting let's make sure the
traffic is coming back
and for that we again can capture the
traffic or we can assign the similar
access list on the inbound traffic
extend it and that would be outside
inbound
and now what do we want to match here
we won't match google dns as a source
because remember
answer is coming from google now
and we want to do
destination is going to be our ip
address on the public interface on the
outside interface
and the protocol is icmp
also you can use
echo reply if you want
not necessary for this purpose but you
can because
like if you are troubleshooting with
someone else on the other side and they
are pinging your ip address as well you
might want to add echo reply to make
sure this is your reply not their ping
but google is not going to ping us so
it's okay to not
put the echo reply any any icmp we match
here we know it's our reply from google
dns
and now let's permit any any because we
don't want to block any other traffic on
the interface because right now there is
no access to the game there is no access
list and if we assign the axle list
we'll block everything that is not
permitted on the access list
so let's go ahead and configure the
internet gigabyte
gigabit ethernet one
ip access list not access access group
and
here we use inbound
okay in
now
let's check what match do we have on the
interface for inbound traffic
is there any reply from google
and there is reply
so we know now that the traffic not only
leaves the router but it's also coming
back from google so internet in between
google dns and our isp is okay we
receive the traffic but
computers still cannot ping that
how come
we need the ping on the computer
so what else are left
when traffic comes back
to the router
let me try to draw it here
where traffic
lives okay we we have this traffic it
left the router
went to dsp not sp google dns
and coming back and it comes here we
have this match on this interface now
what's supposed to happen well nat will
catch the traffic will check the port
translations and we'll figure out okay
that's the returning traffic for this
ping this guy is pinging from the
windows 7 machine and now this packet
sorry
now this package supposed to leave this
interface
okay to
to be delivered to the
computer and let's make sure that is
happening
for that
what we are going to do is
we are
for that we are going to check if the
traffic leaves the cisco router
again this is the same as we did on the
outside interface you can capture
traffic if you know how to capture if
not you can assign the interface on the
address let's first make sure there is
no access list on the router
and let's do out
there is an access list okay
now let's check what this access list
has in it
does it have any match
and it doesn't but look at this
this subnet is not what we are expecting
to have because remember our subnet is
192
161.10
and here we see two so again the subnet
on the axle is wrong
let's try and fix that
now it's correct
so
remember the traffic leaves the router
so the source here is going to be any in
our case it's google dns and destination
is our computer so the access list order
like from any tool subnet is correct
and let's see if we can finally ping it
we still cannot bring it
wow
let's see what's going on
is it leaving the interface
it is actually
it's my bad
i did
two again
okay this is wrong
ah
this is what happened when you rush
and
actually turn
and
then we need to do
one
yeah once you remove the all lines from
the axles that actually doesn't work
anymore so there's no denying any at the
end if there's no any line in the axis
so
as soon as we removed 10 we start
pinging it and now and then we added
correct line here
and we can still ping it
and we have hit counts
so this is how you troubleshoot simple
basic cisco network
not only cisco network pretty much any
network you need to know what your
troubleshooting you need to know how
traffic goes
what gateway are you supposed to have on
the computer you need to know all the
things to troubleshoot and
after some several months or years you
have the enough experience to skip some
of the steps for example you might know
the gateway
on the router is correct because you
connected to the router remotely and
from the internet so the router most
likely has the default gateway or you
might know that the
the access is not supposed to be checked
on the inside device because user told
you that they can ping the ip address of
the gateway
so many many things can be skipped based
on your experience but this is from
starting to the end you check from the
beginning where you have the problem you
don't check at the end if the cisco has
the internet first you make sure you
have everything you need to leave the uh
area to leave the subnet now let's see
if you can paint google the google
website
directly using dns
and we can ping so if i go
on the browser here i'll try to open the
google website
i should be able to open it
and sure enough
i can open it and it works
perfect
i hope this was useful for you guys and
at some point you'll use it
that's it
so guys if you like this videos please
like the video and hit the subscribe
button if you want to see more videos
like this also i'm looking for an ideas
what kind of videos to create so if you
have any idea and you're looking for
some kind of configuration on the cisco
or
similar network you can put in the
comments what do you want to see in the
next video thanks for watching and have
a good one
you