0:00:01.040,0:00:03.199 hello guys welcome back my name is david 0:00:03.199,0:00:04.799 and today we are going to troubleshoot 0:00:04.799,0:00:07.839 simple cisco network so what i mean is i 0:00:07.839,0:00:10.480 have one com one computer and one router 0:00:10.480,0:00:12.559 this router was configured to pass the 0:00:12.559,0:00:14.880 traffic to translate this traffic into a 0:00:14.880,0:00:17.760 public ip so the computer can surf the 0:00:17.760,0:00:19.760 internet now what i did i broke the 0:00:19.760,0:00:21.840 configuration in several places and we 0:00:21.840,0:00:24.480 are going to start from beginning to the 0:00:24.480,0:00:26.800 end we'll find all the problems and try 0:00:26.800,0:00:31.240 to fix that stay with me 0:00:32.399,0:00:35.520 okay let's start this is my computer 0:00:35.520,0:00:37.120 this comes supposed to have the ip 0:00:37.120,0:00:39.840 address and dns iprs right and the 0:00:39.840,0:00:41.760 gateway of course then traffic comes 0:00:41.760,0:00:44.079 here on the cisco router and then from 0:00:44.079,0:00:46.079 the router it goes to the internet 0:00:46.079,0:00:47.520 but here 0:00:47.520,0:00:49.600 we need to do net right network address 0:00:49.600,0:00:52.960 translations so let's start and find all 0:00:52.960,0:00:54.559 the problems i caused in the 0:00:54.559,0:00:56.160 configuration 0:00:56.160,0:00:58.719 so in order for the traffic to leave the 0:00:58.719,0:01:00.719 computer computer is supposed to have 0:01:00.719,0:01:02.640 the ipad so let's make sure the computer 0:01:02.640,0:01:05.600 has the ip address 0:01:06.400,0:01:08.960 and when we say let's make sure computer 0:01:08.960,0:01:11.520 has the ip address 0:01:11.520,0:01:14.799 let's test the actual status of the ip 0:01:14.799,0:01:16.799 address not the configuration and what i 0:01:16.799,0:01:18.560 mean by that is 0:01:18.560,0:01:20.960 you can go into a configuration and make 0:01:20.960,0:01:22.799 sure the configuration is there by 0:01:22.799,0:01:24.400 clicking this button 0:01:24.400,0:01:26.720 but that's not the way i want you to 0:01:26.720,0:01:28.560 test it i want to test it 0:01:28.560,0:01:30.640 the actual status of the configuration 0:01:30.640,0:01:32.799 that means you can either click here 0:01:32.799,0:01:33.840 details 0:01:33.840,0:01:36.079 or in the cli 0:01:36.079,0:01:37.759 now what's the difference you must say 0:01:37.759,0:01:39.759 the difference is that sometimes when 0:01:39.759,0:01:41.680 you configure the ip address windows is 0:01:41.680,0:01:43.600 not taking this ip address for some 0:01:43.600,0:01:44.799 reason 0:01:44.799,0:01:47.040 there can be many many reasons but the 0:01:47.040,0:01:49.600 configuration doesn't always work so 0:01:49.600,0:01:51.119 when you check the configuration on the 0:01:51.119,0:01:53.119 ip address it's not necessary the 0:01:53.119,0:01:55.119 computer is using that ipr so what we 0:01:55.119,0:01:56.960 want to do we want to check the actual 0:01:56.960,0:01:59.920 status of this configuration okay so 0:01:59.920,0:02:02.079 let's see what we have we have the ip 0:02:02.079,0:02:04.159 address here as you can see 0:02:04.159,0:02:06.159 and we have the gateway so we know the 0:02:06.159,0:02:08.399 ip address is there and probably the 0:02:08.399,0:02:10.560 ipaddress works we can ping the ip 0:02:10.560,0:02:12.080 address itself 0:02:12.080,0:02:14.319 and 0:02:14.319,0:02:17.200 yes well ipstac tcp stack works on the 0:02:17.200,0:02:19.280 computer that's good so now let's test 0:02:19.280,0:02:21.280 the gateway make sure the gateway works 0:02:21.280,0:02:22.879 here's the gateway 0:02:22.879,0:02:25.200 and we want to ping that gateway to make 0:02:25.200,0:02:28.400 sure the gateway is on the network 0:02:28.400,0:02:30.480 now you might already see that gateway 0:02:30.480,0:02:32.720 is that one on the topology so the 0:02:32.720,0:02:34.480 gateway is wrong but let's try and ping 0:02:34.480,0:02:35.440 it 0:02:35.440,0:02:39.519 ping 192 168.1.254 0:02:39.519,0:02:42.000 and the gateway is not pingable and how 0:02:42.000,0:02:43.840 do let's say we don't know the if the 0:02:43.840,0:02:45.680 gateway is correct or not 0:02:45.680,0:02:47.840 or we know the gateway is correct but we 0:02:47.840,0:02:50.560 are not sure why we don't ping it ping 0:02:50.560,0:02:53.200 could could be closed nobody close icmp 0:02:53.200,0:02:55.280 on the gateway but let's say it's closed 0:02:55.280,0:02:57.519 you want to make sure the gateway is on 0:02:57.519,0:02:59.280 the network and for that we can check 0:02:59.280,0:03:01.680 the r and let's go ahead on the windows 0:03:01.680,0:03:03.519 machine type r 0:03:03.519,0:03:05.040 iphone a 0:03:05.040,0:03:06.800 and this will show you arp cache and you 0:03:06.800,0:03:08.640 know the ip address mapped to the macro 0:03:08.640,0:03:11.599 so let's see if we have 254 here in the 0:03:11.599,0:03:14.080 arc cache and we don't have it 0:03:14.080,0:03:16.640 but we have that one 0:03:16.640,0:03:20.720 and let's try and think it dot one 0:03:21.680,0:03:24.959 it's not pingable that's weird but well 0:03:24.959,0:03:26.799 at least we know it's that one but let's 0:03:26.799,0:03:29.599 go ahead and change that one 0:03:29.599,0:03:31.680 you know what we have the cisco router 0:03:31.680,0:03:34.560 and we have the interface g3 w3 and 0:03:34.560,0:03:36.159 let's see what's the ipad address on the 0:03:36.159,0:03:37.200 interface 0:03:37.200,0:03:38.319 show 0:03:38.319,0:03:42.239 run not sure our show interface 0:03:42.799,0:03:45.120 address 0:03:45.120,0:03:47.840 and as you can see this is the ip 0:03:47.840,0:03:49.040 address 0:03:49.040,0:03:52.239 of the cisco router so yes the computer 0:03:52.239,0:03:54.000 is supposed to have that one as a 0:03:54.000,0:03:56.640 gateway not 254 0:03:56.640,0:03:58.640 so let's go ahead and fix that on the 0:03:58.640,0:04:03.120 computer we are just one step 0:04:03.519,0:04:06.239 closer to the fixing the problem 0:04:06.239,0:04:08.480 and let's do one 0:04:08.480,0:04:10.319 now 0:04:10.319,0:04:13.439 remember that one wasn't pingable from 0:04:13.439,0:04:15.040 the computer 0:04:15.040,0:04:17.040 and we want to find out why we cannot 0:04:17.040,0:04:19.600 ping it should we pingable should it not 0:04:19.600,0:04:22.000 and let's go ahead and check if there is 0:04:22.000,0:04:25.280 any access list on the cisco router 0:04:25.280,0:04:29.840 on the inside interface show run 0:04:30.479,0:04:34.960 inside interface gear v3 and pipe in for 0:04:34.960,0:04:37.360 the inboard and sure there is an access 0:04:37.360,0:04:42.040 list and let's check what's inside 0:04:42.080,0:04:46.440 okay we have permit ip192.168.3 0:04:47.040,0:04:48.000 okay 0:04:48.000,0:04:50.080 and slash24 0:04:50.080,0:04:53.520 so the access list is not permitting our 0:04:53.520,0:04:55.440 traffic coming from the computer because 0:04:55.440,0:04:58.160 remember our ip address our subnet on 0:04:58.160,0:04:59.600 the computer is 0:04:59.600,0:05:02.600 192.168.1 0:05:02.639,0:05:05.759 not three but one on the third octa and 0:05:05.759,0:05:07.840 access list on the cisco hour is not 0:05:07.840,0:05:09.520 having this dot 0:05:09.520,0:05:13.680 one so let's go ahead and fix that 0:05:14.160,0:05:16.639 we need to go into access list 0:05:16.639,0:05:18.000 extend it 0:05:18.000,0:05:21.120 inside by inbound and you know we know 0:05:21.120,0:05:23.199 for sure that they're not there's not 0:05:23.199,0:05:25.199 supposed to be the three 0:05:25.199,0:05:27.680 network on this lan right so it's okay 0:05:27.680,0:05:31.680 to remove this ip address and fix that 0:05:31.840,0:05:36.759 node 20 and then permit ip192.168.1.0 0:05:38.560,0:05:41.039 and 0:05:41.680,0:05:43.680 any okay 0:05:43.680,0:05:45.600 now it looks great 0:05:45.600,0:05:49.800 let's see if we can ping the router 0:05:55.600,0:05:57.759 okay we can ping the router 0:05:57.759,0:05:59.440 great now let's check do we have the 0:05:59.440,0:06:01.919 internet 0:06:03.360,0:06:07.039 and no we don't okay 0:06:07.039,0:06:08.319 let's see 0:06:08.319,0:06:10.800 what else we are missing here do we have 0:06:10.800,0:06:13.360 the route 0:06:13.360,0:06:16.240 now actually let's make sure the cisco 0:06:16.240,0:06:18.639 hour has the internet ping 0:06:18.639,0:06:21.120 made updated 0:06:21.120,0:06:23.840 doesn't have the internet let's fix that 0:06:23.840,0:06:25.919 so what do you need on the router to 0:06:25.919,0:06:27.680 have the internet you need the ip 0:06:27.680,0:06:29.440 address you need the next hope which is 0:06:29.440,0:06:31.600 that one and you need connection between 0:06:31.600,0:06:33.520 isp and the router 0:06:33.520,0:06:35.759 let's check what is the interface on the 0:06:35.759,0:06:37.600 gear with one 0:06:37.600,0:06:41.039 and what is the ip address here 0:06:46.080,0:06:47.039 okay 0:06:47.039,0:06:49.120 that's great now what's the gateway show 0:06:49.120,0:06:51.199 ip route 0:06:51.199,0:06:53.840 and our gateway is that three but 0:06:53.840,0:06:54.960 remember 0:06:54.960,0:06:57.360 our isp has that one not that three so 0:06:57.360,0:06:59.840 let's go ahead and fix that too 0:06:59.840,0:07:02.479 here's my route which i need to remove 0:07:02.479,0:07:05.440 and add the new one 0:07:05.440,0:07:07.680 now remember if you just add the route 0:07:07.680,0:07:09.599 you'll have two routes it's not gonna 0:07:09.599,0:07:11.199 replace even though it has the same 0:07:11.199,0:07:13.599 destination it's not going to replace so 0:07:13.599,0:07:16.240 you want to remove the old route and add 0:07:16.240,0:07:18.880 the new one 0:07:20.319,0:07:23.199 okay now we have the route and the 0:07:23.199,0:07:25.280 routing table proper now let's see if we 0:07:25.280,0:07:27.039 can ping the google 0:07:27.039,0:07:28.319 ping 0:07:28.319,0:07:30.000 from the cisco hour 0:07:30.000,0:07:31.039 okay 0:07:31.039,0:07:33.039 cisco router has the internet now let's 0:07:33.039,0:07:35.039 come back on the computer and just see 0:07:35.039,0:07:38.479 if computers also has the internet 0:07:38.479,0:07:40.000 well no computer doesn't have the 0:07:40.000,0:07:42.319 internet okay 0:07:42.319,0:07:45.280 let's think what do we need to do what 0:07:45.280,0:07:47.680 do we need to have on the cisco router 0:07:47.680,0:07:50.240 to allow the internet to access uh from 0:07:50.240,0:07:52.160 the computer 0:07:52.160,0:07:53.840 so the computer can serve the internet 0:07:53.840,0:07:56.720 sites websites okay so first 0:07:56.720,0:07:58.960 the computer has the private ipads you 0:07:58.960,0:08:01.759 see and the cisco router external 0:08:01.759,0:08:04.560 interface is the public ip address so we 0:08:04.560,0:08:07.360 want to translate our private ips subnet 0:08:07.360,0:08:10.400 into a public iprs of the router and for 0:08:10.400,0:08:12.720 that we need to do the net 0:08:12.720,0:08:14.879 and let's make sure we have the nut 0:08:14.879,0:08:17.599 translations on the cisco router so 0:08:17.599,0:08:20.000 let's go ahead and try ping 0:08:20.000,0:08:22.800 actually that's not 0:08:22.800,0:08:26.160 let's ping and come back here and see 0:08:26.160,0:08:30.240 if we have no translations 0:08:32.719,0:08:36.959 and we have some not translations 0:08:38.959,0:08:41.839 which is not our google ip addresses so 0:08:41.839,0:08:43.200 let's clear up 0:08:43.200,0:08:45.839 our ip not translations 0:08:45.839,0:08:47.839 dynamic i believe here 0:08:47.839,0:08:50.720 no just just everything 0:08:50.720,0:08:53.600 okay show ipmap translations 0:08:53.600,0:08:55.600 we don't have new translations that 0:08:55.600,0:08:58.080 means cisco router is not translating 0:08:58.080,0:09:00.880 our traffic from private subnet into 0:09:00.880,0:09:02.160 public ip 0:09:02.160,0:09:04.320 and let's troubleshoot that we need to 0:09:04.320,0:09:06.480 have the configuration for that right so 0:09:06.480,0:09:08.240 let's let's go ahead and do this show 0:09:08.240,0:09:10.959 run defensive gear three and does it 0:09:10.959,0:09:14.080 have the net configuration on the gearb3 0:09:14.080,0:09:17.200 it does and it has not ip not inside 0:09:17.200,0:09:18.720 that's great now 0:09:18.720,0:09:20.720 inside interface is supposed to have ip 0:09:20.720,0:09:23.519 not inside the outside default though 0:09:23.519,0:09:26.000 supposed to have ip nut outside let's 0:09:26.000,0:09:28.480 check that 0:09:31.279,0:09:33.360 oh outside the face doesn't have ip not 0:09:33.360,0:09:35.839 outside at all so let's go ahead and 0:09:35.839,0:09:37.279 configure that 0:09:37.279,0:09:39.360 ipnot outside 0:09:39.360,0:09:40.959 and now 0:09:40.959,0:09:44.560 we fixed not well at least partially on 0:09:44.560,0:09:46.880 the cisco router now we know that the 0:09:46.880,0:09:48.640 inside the face and outside the face 0:09:48.640,0:09:51.440 they both have not configuration on them 0:09:51.440,0:09:53.200 let's go ahead and check ipnot 0:09:53.200,0:09:56.160 translation again 0:09:56.560,0:09:59.519 all right we have some traffic here 0:09:59.519,0:10:02.880 this is our ip address 0:10:02.880,0:10:04.560 right right 0:10:04.560,0:10:05.440 and 0:10:05.440,0:10:07.680 this is what we are trying to ping 0:10:07.680,0:10:09.600 and this is the icmp protocol and this 0:10:09.600,0:10:13.040 is the ip address we are translated into 0:10:13.040,0:10:15.360 so if we check this ip address on 0:10:15.360,0:10:18.560 interface that's our ip address we know 0:10:18.560,0:10:21.680 that cisco router translates the packet 0:10:21.680,0:10:23.440 into public ip 0:10:23.440,0:10:25.920 now what we need to do is we know 0:10:25.920,0:10:28.079 traffic comes here on the router is 0:10:28.079,0:10:30.000 translated and we need to make sure 0:10:30.000,0:10:32.399 traffic can leave the interface now how 0:10:32.399,0:10:33.760 do we check that 0:10:33.760,0:10:34.640 well 0:10:34.640,0:10:36.560 usually if you have the route and there 0:10:36.560,0:10:38.399 is no restriction on the interface 0:10:38.399,0:10:41.120 traffic leaves the interface so let's go 0:10:41.120,0:10:43.680 ahead and check that do we have any 0:10:43.680,0:10:45.360 access list 0:10:45.360,0:10:46.560 we don't 0:10:46.560,0:10:49.040 but do we want to put the access list to 0:10:49.040,0:10:50.720 make sure traffic leaves the interface 0:10:50.720,0:10:53.120 you know you can use probably packet 0:10:53.120,0:10:54.959 capture if you know how to do that but 0:10:54.959,0:10:57.760 if not what you can do is do a quick 0:10:57.760,0:10:59.920 configuration show ip access list 0:10:59.920,0:11:01.600 extended for example 0:11:01.600,0:11:04.320 and match our traffic in our case 0:11:04.320,0:11:07.839 let's say outside 0:11:07.839,0:11:11.360 isp is going to be no i thought 0:11:11.360,0:11:14.360 outside 0:11:15.120,0:11:17.120 that's the access list name and permit 0:11:17.120,0:11:20.079 our traffic what is our traffic ip host 0:11:20.079,0:11:23.680 192 168.1.10 0:11:23.680,0:11:24.959 into 0:11:24.959,0:11:27.120 google dns 0:11:27.120,0:11:30.560 and we want it to be icmp but ip will 0:11:30.560,0:11:34.079 work for as well but let's do icmp only 0:11:34.079,0:11:35.360 and 0:11:35.360,0:11:36.160 now 0:11:36.160,0:11:38.160 we want to assign this access list on 0:11:38.160,0:11:40.880 the public interface but remember 0:11:40.880,0:11:42.399 right now the interface doesn't have the 0:11:42.399,0:11:44.160 access which means once you assign this 0:11:44.160,0:11:46.399 access list you'll permit only the 0:11:46.399,0:11:48.320 things you have in the access list and 0:11:48.320,0:11:51.040 in our case that's only icmp packet 0:11:51.040,0:11:52.480 coming from our computer going to the 0:11:52.480,0:11:55.120 google but for the rest of the users 0:11:55.120,0:11:57.279 we're gonna break the internet well if 0:11:57.279,0:11:59.839 they have already so what we want to do 0:11:59.839,0:12:02.480 is to add permit any any at the end of 0:12:02.480,0:12:05.279 the access list 0:12:05.680,0:12:07.839 which means if we assign this access 0:12:07.839,0:12:10.399 list on the outbound interface 0:12:10.399,0:12:12.639 for the outbound traffic 0:12:12.639,0:12:14.959 we'll get the match here 0:12:14.959,0:12:17.040 and hit count will increase if the 0:12:17.040,0:12:19.519 packet leaves the router and for the 0:12:19.519,0:12:21.279 rest of the traffic to not block them 0:12:21.279,0:12:23.440 here's the permit ip and then so let's 0:12:23.440,0:12:26.480 go ahead and do in gigabit estimate 0:12:26.480,0:12:27.519 one 0:12:27.519,0:12:29.440 ip access group 0:12:29.440,0:12:32.240 outside outbound and 0:12:32.240,0:12:35.680 outbound packets so we want to do out 0:12:35.680,0:12:36.639 and 0:12:36.639,0:12:39.360 now now you see there is a match 0:12:39.360,0:12:41.360 on ipm en 0:12:41.360,0:12:43.600 probably some kind of you know uh 0:12:43.600,0:12:44.880 different traffic coming from the 0:12:44.880,0:12:46.399 computer checking the updates or 0:12:46.399,0:12:47.920 something like that but our traffic 0:12:47.920,0:12:49.760 doesn't have the match let's generate 0:12:49.760,0:12:52.639 the traffic on the computer 0:12:52.639,0:12:54.639 this is our traffic 0:12:54.639,0:12:56.959 one 0:12:57.120,0:12:59.440 two 0:13:00.880,0:13:01.920 okay 0:13:01.920,0:13:04.240 and now let's check if we have the match 0:13:04.240,0:13:07.680 on the access list 0:13:07.680,0:13:10.320 we don't 0:13:10.800,0:13:12.560 but that's weird 0:13:12.560,0:13:15.519 isn't our ap address 0:13:15.519,0:13:19.279 oh oh i'm sorry guys 0:13:19.279,0:13:22.399 this ridiculous remember we translated 0:13:22.399,0:13:25.200 traffic into public ip so there's no way 0:13:25.200,0:13:28.480 to match the 192.168.1.10 0:13:28.480,0:13:30.480 on the aggress interface so if we want 0:13:30.480,0:13:32.639 to do something else 0:13:32.639,0:13:37.440 let's go ahead and you know fix that 0:13:38.880,0:13:40.399 we want to remove 0:13:40.399,0:13:44.639 line 10 and add the new new line ip 0:13:44.639,0:13:46.240 icmp 0:13:46.240,0:13:47.279 host 0:13:47.279,0:13:49.360 what's the our public ip address of the 0:13:49.360,0:13:53.040 router it is 100 0:13:53.040,0:13:55.519 that 100 i believe this is the ip 0:13:55.519,0:13:56.800 address 0:13:56.800,0:14:01.720 and then we are going to ping google dns 0:14:02.000,0:14:05.760 here's the axle list now 0:14:06.800,0:14:10.000 now we need to 0:14:10.480,0:14:13.440 renumber this because it's incorrectly 0:14:13.440,0:14:15.600 we want to have permit any at the end so 0:14:15.600,0:14:20.399 remove 20 permit any any 0:14:20.959,0:14:23.839 and now it's correct okay now let's ping 0:14:23.839,0:14:25.199 and let's see 0:14:25.199,0:14:27.040 if packet leaves the 0:14:27.040,0:14:30.040 router 0:14:36.560,0:14:39.839 we still don't have the match 0:14:39.839,0:14:42.399 on the interface okay here's the match i 0:14:42.399,0:14:44.720 was like what's going on 0:14:44.720,0:14:46.560 so we have match 0:14:46.560,0:14:49.199 and that confirms two things 0:14:49.199,0:14:51.279 not two actually several 0:14:51.279,0:14:53.199 we have the working gateway for the 0:14:53.199,0:14:55.680 cisco router so traffic can leave the 0:14:55.680,0:14:56.800 interface 0:14:56.800,0:14:59.279 now because the match is for the public 0:14:59.279,0:15:01.600 ip address we also know that the traffic 0:15:01.600,0:15:03.600 is being translated so even if you 0:15:03.600,0:15:05.600 didn't check the iphone translation this 0:15:05.600,0:15:07.600 confirms that there was a translation 0:15:07.600,0:15:09.760 and the private ipad is translated into 0:15:09.760,0:15:13.199 public ipads and the third 0:15:13.199,0:15:15.120 packet leaves the router 0:15:15.120,0:15:16.079 okay 0:15:16.079,0:15:16.880 now 0:15:16.880,0:15:19.199 that's good it leaves the router is it 0:15:19.199,0:15:20.639 coming back 0:15:20.639,0:15:21.680 no 0:15:21.680,0:15:24.880 it might be coming back or it it's my 0:15:24.880,0:15:27.680 not coming back depends on the problems 0:15:27.680,0:15:29.040 on the internet 0:15:29.040,0:15:30.720 so since this video about the 0:15:30.720,0:15:32.399 troubleshooting let's make sure the 0:15:32.399,0:15:34.399 traffic is coming back 0:15:34.399,0:15:36.880 and for that we again can capture the 0:15:36.880,0:15:38.959 traffic or we can assign the similar 0:15:38.959,0:15:43.120 access list on the inbound traffic 0:15:44.959,0:15:48.480 extend it and that would be outside 0:15:48.480,0:15:50.240 inbound 0:15:50.240,0:15:53.120 and now what do we want to match here 0:15:53.120,0:15:55.600 we won't match google dns as a source 0:15:55.600,0:15:57.199 because remember 0:15:57.199,0:15:59.680 answer is coming from google now 0:15:59.680,0:16:01.920 and we want to do 0:16:01.920,0:16:04.639 destination is going to be our ip 0:16:04.639,0:16:07.120 address on the public interface on the 0:16:07.120,0:16:08.959 outside interface 0:16:08.959,0:16:10.880 and the protocol is icmp 0:16:10.880,0:16:12.320 also you can use 0:16:12.320,0:16:14.800 echo reply if you want 0:16:14.800,0:16:17.120 not necessary for this purpose but you 0:16:17.120,0:16:19.279 can because 0:16:19.279,0:16:22.399 like if you are troubleshooting with 0:16:22.399,0:16:24.800 someone else on the other side and they 0:16:24.800,0:16:26.959 are pinging your ip address as well you 0:16:26.959,0:16:28.880 might want to add echo reply to make 0:16:28.880,0:16:31.360 sure this is your reply not their ping 0:16:31.360,0:16:33.759 but google is not going to ping us so 0:16:33.759,0:16:35.519 it's okay to not 0:16:35.519,0:16:38.720 put the echo reply any any icmp we match 0:16:38.720,0:16:40.959 here we know it's our reply from google 0:16:40.959,0:16:42.160 dns 0:16:42.160,0:16:44.639 and now let's permit any any because we 0:16:44.639,0:16:46.560 don't want to block any other traffic on 0:16:46.560,0:16:48.560 the interface because right now there is 0:16:48.560,0:16:50.480 no access to the game there is no access 0:16:50.480,0:16:52.720 list and if we assign the axle list 0:16:52.720,0:16:55.040 we'll block everything that is not 0:16:55.040,0:16:57.279 permitted on the access list 0:16:57.279,0:16:59.920 so let's go ahead and configure the 0:16:59.920,0:17:02.240 internet gigabyte 0:17:02.240,0:17:04.480 gigabit ethernet one 0:17:04.480,0:17:08.799 ip access list not access access group 0:17:08.799,0:17:09.919 and 0:17:09.919,0:17:12.000 here we use inbound 0:17:12.000,0:17:13.600 okay in 0:17:13.600,0:17:15.360 now 0:17:15.360,0:17:18.000 let's check what match do we have on the 0:17:18.000,0:17:21.600 interface for inbound traffic 0:17:21.600,0:17:25.520 is there any reply from google 0:17:30.720,0:17:32.960 and there is reply 0:17:32.960,0:17:35.600 so we know now that the traffic not only 0:17:35.600,0:17:37.760 leaves the router but it's also coming 0:17:37.760,0:17:40.160 back from google so internet in between 0:17:40.160,0:17:43.440 google dns and our isp is okay we 0:17:43.440,0:17:45.440 receive the traffic but 0:17:45.440,0:17:47.760 computers still cannot ping that 0:17:47.760,0:17:49.200 how come 0:17:49.200,0:17:51.919 we need the ping on the computer 0:17:51.919,0:17:54.160 so what else are left 0:17:54.160,0:17:56.720 when traffic comes back 0:17:56.720,0:17:58.000 to the router 0:17:58.000,0:18:01.840 let me try to draw it here 0:18:07.679,0:18:09.039 where traffic 0:18:09.039,0:18:11.919 lives okay we we have this traffic it 0:18:11.919,0:18:14.480 left the router 0:18:14.480,0:18:17.840 went to dsp not sp google dns 0:18:17.840,0:18:20.000 and coming back and it comes here we 0:18:20.000,0:18:23.360 have this match on this interface now 0:18:23.360,0:18:25.679 what's supposed to happen well nat will 0:18:25.679,0:18:28.080 catch the traffic will check the port 0:18:28.080,0:18:30.160 translations and we'll figure out okay 0:18:30.160,0:18:32.320 that's the returning traffic for this 0:18:32.320,0:18:33.760 ping this guy is pinging from the 0:18:33.760,0:18:37.120 windows 7 machine and now this packet 0:18:37.120,0:18:38.400 sorry 0:18:38.400,0:18:40.320 now this package supposed to leave this 0:18:40.320,0:18:42.400 interface 0:18:42.400,0:18:44.000 okay to 0:18:44.000,0:18:45.760 to be delivered to the 0:18:45.760,0:18:48.080 computer and let's make sure that is 0:18:48.080,0:18:49.679 happening 0:18:49.679,0:18:51.200 for that 0:18:51.200,0:18:54.320 what we are going to do is 0:18:54.320,0:18:57.559 we are 0:18:58.559,0:19:00.400 for that we are going to check if the 0:19:00.400,0:19:03.200 traffic leaves the cisco router 0:19:03.200,0:19:05.600 again this is the same as we did on the 0:19:05.600,0:19:07.200 outside interface you can capture 0:19:07.200,0:19:08.880 traffic if you know how to capture if 0:19:08.880,0:19:11.360 not you can assign the interface on the 0:19:11.360,0:19:13.440 address let's first make sure there is 0:19:13.440,0:19:17.200 no access list on the router 0:19:19.039,0:19:22.400 and let's do out 0:19:22.400,0:19:25.360 there is an access list okay 0:19:25.360,0:19:27.520 now let's check what this access list 0:19:27.520,0:19:30.080 has in it 0:19:30.799,0:19:33.520 does it have any match 0:19:33.520,0:19:36.799 and it doesn't but look at this 0:19:36.799,0:19:39.280 this subnet is not what we are expecting 0:19:39.280,0:19:43.280 to have because remember our subnet is 0:19:43.280,0:19:44.520 192 0:19:44.520,0:19:46.080 161.10 0:19:46.080,0:19:49.200 and here we see two so again the subnet 0:19:49.200,0:19:51.120 on the axle is wrong 0:19:51.120,0:19:55.160 let's try and fix that 0:20:06.559,0:20:08.640 now it's correct 0:20:08.640,0:20:09.520 so 0:20:09.520,0:20:12.080 remember the traffic leaves the router 0:20:12.080,0:20:15.520 so the source here is going to be any in 0:20:15.520,0:20:17.600 our case it's google dns and destination 0:20:17.600,0:20:20.400 is our computer so the access list order 0:20:20.400,0:20:23.360 like from any tool subnet is correct 0:20:23.360,0:20:28.080 and let's see if we can finally ping it 0:20:29.200,0:20:31.280 we still cannot bring it 0:20:31.280,0:20:32.320 wow 0:20:32.320,0:20:34.400 let's see what's going on 0:20:34.400,0:20:37.679 is it leaving the interface 0:20:41.440,0:20:42.960 it is actually 0:20:42.960,0:20:44.159 it's my bad 0:20:44.159,0:20:45.200 i did 0:20:45.200,0:20:46.799 two again 0:20:46.799,0:20:49.919 okay this is wrong 0:20:49.919,0:20:52.159 ah 0:20:52.799,0:20:56.320 this is what happened when you rush 0:20:57.360,0:20:59.520 and 0:20:59.520,0:21:02.000 actually turn 0:21:02.000,0:21:03.760 and 0:21:03.760,0:21:05.760 then we need to do 0:21:05.760,0:21:06.799 one 0:21:06.799,0:21:09.520 yeah once you remove the all lines from 0:21:09.520,0:21:11.120 the axles that actually doesn't work 0:21:11.120,0:21:13.200 anymore so there's no denying any at the 0:21:13.200,0:21:16.080 end if there's no any line in the axis 0:21:16.080,0:21:16.960 so 0:21:16.960,0:21:19.360 as soon as we removed 10 we start 0:21:19.360,0:21:21.679 pinging it and now and then we added 0:21:21.679,0:21:23.760 correct line here 0:21:23.760,0:21:26.960 and we can still ping it 0:21:26.960,0:21:29.120 and we have hit counts 0:21:29.120,0:21:32.080 so this is how you troubleshoot simple 0:21:32.080,0:21:33.840 basic cisco network 0:21:33.840,0:21:35.679 not only cisco network pretty much any 0:21:35.679,0:21:38.000 network you need to know what your 0:21:38.000,0:21:39.520 troubleshooting you need to know how 0:21:39.520,0:21:41.039 traffic goes 0:21:41.039,0:21:42.559 what gateway are you supposed to have on 0:21:42.559,0:21:44.400 the computer you need to know all the 0:21:44.400,0:21:46.559 things to troubleshoot and 0:21:46.559,0:21:49.039 after some several months or years you 0:21:49.039,0:21:50.880 have the enough experience to skip some 0:21:50.880,0:21:52.559 of the steps for example you might know 0:21:52.559,0:21:54.400 the gateway 0:21:54.400,0:21:56.880 on the router is correct because you 0:21:56.880,0:21:58.880 connected to the router remotely and 0:21:58.880,0:22:01.039 from the internet so the router most 0:22:01.039,0:22:03.520 likely has the default gateway or you 0:22:03.520,0:22:05.039 might know that the 0:22:05.039,0:22:07.520 the access is not supposed to be checked 0:22:07.520,0:22:09.280 on the inside device because user told 0:22:09.280,0:22:11.760 you that they can ping the ip address of 0:22:11.760,0:22:14.400 the gateway 0:22:14.400,0:22:17.120 so many many things can be skipped based 0:22:17.120,0:22:19.360 on your experience but this is from 0:22:19.360,0:22:21.760 starting to the end you check from the 0:22:21.760,0:22:24.159 beginning where you have the problem you 0:22:24.159,0:22:26.559 don't check at the end if the cisco has 0:22:26.559,0:22:28.400 the internet first you make sure you 0:22:28.400,0:22:31.840 have everything you need to leave the uh 0:22:31.840,0:22:34.640 area to leave the subnet now let's see 0:22:34.640,0:22:37.600 if you can paint google the google 0:22:37.600,0:22:38.880 website 0:22:38.880,0:22:40.960 directly using dns 0:22:40.960,0:22:43.360 and we can ping so if i go 0:22:43.360,0:22:45.919 on the browser here i'll try to open the 0:22:45.919,0:22:47.760 google website 0:22:47.760,0:22:51.200 i should be able to open it 0:22:52.000,0:22:53.440 and sure enough 0:22:53.440,0:22:56.080 i can open it and it works 0:22:56.080,0:22:57.840 perfect 0:22:57.840,0:23:00.480 i hope this was useful for you guys and 0:23:00.480,0:23:02.400 at some point you'll use it 0:23:02.400,0:23:03.520 that's it 0:23:03.520,0:23:05.600 so guys if you like this videos please 0:23:05.600,0:23:07.760 like the video and hit the subscribe 0:23:07.760,0:23:09.840 button if you want to see more videos 0:23:09.840,0:23:12.320 like this also i'm looking for an ideas 0:23:12.320,0:23:14.080 what kind of videos to create so if you 0:23:14.080,0:23:16.000 have any idea and you're looking for 0:23:16.000,0:23:18.559 some kind of configuration on the cisco 0:23:18.559,0:23:19.520 or 0:23:19.520,0:23:21.360 similar network you can put in the 0:23:21.360,0:23:23.120 comments what do you want to see in the 0:23:23.120,0:23:25.280 next video thanks for watching and have 0:23:25.280,0:23:28.520 a good one 0:23:36.240,0:23:38.320 you