1 00:00:01,040 --> 00:00:03,199 hello guys welcome back my name is david 2 00:00:03,199 --> 00:00:04,799 and today we are going to troubleshoot 3 00:00:04,799 --> 00:00:07,839 simple cisco network so what i mean is i 4 00:00:07,839 --> 00:00:10,480 have one com one computer and one router 5 00:00:10,480 --> 00:00:12,559 this router was configured to pass the 6 00:00:12,559 --> 00:00:14,880 traffic to translate this traffic into a 7 00:00:14,880 --> 00:00:17,760 public ip so the computer can surf the 8 00:00:17,760 --> 00:00:19,760 internet now what i did i broke the 9 00:00:19,760 --> 00:00:21,840 configuration in several places and we 10 00:00:21,840 --> 00:00:24,480 are going to start from beginning to the 11 00:00:24,480 --> 00:00:26,800 end we'll find all the problems and try 12 00:00:26,800 --> 00:00:31,240 to fix that stay with me 13 00:00:32,399 --> 00:00:35,520 okay let's start this is my computer 14 00:00:35,520 --> 00:00:37,120 this comes supposed to have the ip 15 00:00:37,120 --> 00:00:39,840 address and dns iprs right and the 16 00:00:39,840 --> 00:00:41,760 gateway of course then traffic comes 17 00:00:41,760 --> 00:00:44,079 here on the cisco router and then from 18 00:00:44,079 --> 00:00:46,079 the router it goes to the internet 19 00:00:46,079 --> 00:00:47,520 but here 20 00:00:47,520 --> 00:00:49,600 we need to do net right network address 21 00:00:49,600 --> 00:00:52,960 translations so let's start and find all 22 00:00:52,960 --> 00:00:54,559 the problems i caused in the 23 00:00:54,559 --> 00:00:56,160 configuration 24 00:00:56,160 --> 00:00:58,719 so in order for the traffic to leave the 25 00:00:58,719 --> 00:01:00,719 computer computer is supposed to have 26 00:01:00,719 --> 00:01:02,640 the ipad so let's make sure the computer 27 00:01:02,640 --> 00:01:05,600 has the ip address 28 00:01:06,400 --> 00:01:08,960 and when we say let's make sure computer 29 00:01:08,960 --> 00:01:11,520 has the ip address 30 00:01:11,520 --> 00:01:14,799 let's test the actual status of the ip 31 00:01:14,799 --> 00:01:16,799 address not the configuration and what i 32 00:01:16,799 --> 00:01:18,560 mean by that is 33 00:01:18,560 --> 00:01:20,960 you can go into a configuration and make 34 00:01:20,960 --> 00:01:22,799 sure the configuration is there by 35 00:01:22,799 --> 00:01:24,400 clicking this button 36 00:01:24,400 --> 00:01:26,720 but that's not the way i want you to 37 00:01:26,720 --> 00:01:28,560 test it i want to test it 38 00:01:28,560 --> 00:01:30,640 the actual status of the configuration 39 00:01:30,640 --> 00:01:32,799 that means you can either click here 40 00:01:32,799 --> 00:01:33,840 details 41 00:01:33,840 --> 00:01:36,079 or in the cli 42 00:01:36,079 --> 00:01:37,759 now what's the difference you must say 43 00:01:37,759 --> 00:01:39,759 the difference is that sometimes when 44 00:01:39,759 --> 00:01:41,680 you configure the ip address windows is 45 00:01:41,680 --> 00:01:43,600 not taking this ip address for some 46 00:01:43,600 --> 00:01:44,799 reason 47 00:01:44,799 --> 00:01:47,040 there can be many many reasons but the 48 00:01:47,040 --> 00:01:49,600 configuration doesn't always work so 49 00:01:49,600 --> 00:01:51,119 when you check the configuration on the 50 00:01:51,119 --> 00:01:53,119 ip address it's not necessary the 51 00:01:53,119 --> 00:01:55,119 computer is using that ipr so what we 52 00:01:55,119 --> 00:01:56,960 want to do we want to check the actual 53 00:01:56,960 --> 00:01:59,920 status of this configuration okay so 54 00:01:59,920 --> 00:02:02,079 let's see what we have we have the ip 55 00:02:02,079 --> 00:02:04,159 address here as you can see 56 00:02:04,159 --> 00:02:06,159 and we have the gateway so we know the 57 00:02:06,159 --> 00:02:08,399 ip address is there and probably the 58 00:02:08,399 --> 00:02:10,560 ipaddress works we can ping the ip 59 00:02:10,560 --> 00:02:12,080 address itself 60 00:02:12,080 --> 00:02:14,319 and 61 00:02:14,319 --> 00:02:17,200 yes well ipstac tcp stack works on the 62 00:02:17,200 --> 00:02:19,280 computer that's good so now let's test 63 00:02:19,280 --> 00:02:21,280 the gateway make sure the gateway works 64 00:02:21,280 --> 00:02:22,879 here's the gateway 65 00:02:22,879 --> 00:02:25,200 and we want to ping that gateway to make 66 00:02:25,200 --> 00:02:28,400 sure the gateway is on the network 67 00:02:28,400 --> 00:02:30,480 now you might already see that gateway 68 00:02:30,480 --> 00:02:32,720 is that one on the topology so the 69 00:02:32,720 --> 00:02:34,480 gateway is wrong but let's try and ping 70 00:02:34,480 --> 00:02:35,440 it 71 00:02:35,440 --> 00:02:39,519 ping 192 168.1.254 72 00:02:39,519 --> 00:02:42,000 and the gateway is not pingable and how 73 00:02:42,000 --> 00:02:43,840 do let's say we don't know the if the 74 00:02:43,840 --> 00:02:45,680 gateway is correct or not 75 00:02:45,680 --> 00:02:47,840 or we know the gateway is correct but we 76 00:02:47,840 --> 00:02:50,560 are not sure why we don't ping it ping 77 00:02:50,560 --> 00:02:53,200 could could be closed nobody close icmp 78 00:02:53,200 --> 00:02:55,280 on the gateway but let's say it's closed 79 00:02:55,280 --> 00:02:57,519 you want to make sure the gateway is on 80 00:02:57,519 --> 00:02:59,280 the network and for that we can check 81 00:02:59,280 --> 00:03:01,680 the r and let's go ahead on the windows 82 00:03:01,680 --> 00:03:03,519 machine type r 83 00:03:03,519 --> 00:03:05,040 iphone a 84 00:03:05,040 --> 00:03:06,800 and this will show you arp cache and you 85 00:03:06,800 --> 00:03:08,640 know the ip address mapped to the macro 86 00:03:08,640 --> 00:03:11,599 so let's see if we have 254 here in the 87 00:03:11,599 --> 00:03:14,080 arc cache and we don't have it 88 00:03:14,080 --> 00:03:16,640 but we have that one 89 00:03:16,640 --> 00:03:20,720 and let's try and think it dot one 90 00:03:21,680 --> 00:03:24,959 it's not pingable that's weird but well 91 00:03:24,959 --> 00:03:26,799 at least we know it's that one but let's 92 00:03:26,799 --> 00:03:29,599 go ahead and change that one 93 00:03:29,599 --> 00:03:31,680 you know what we have the cisco router 94 00:03:31,680 --> 00:03:34,560 and we have the interface g3 w3 and 95 00:03:34,560 --> 00:03:36,159 let's see what's the ipad address on the 96 00:03:36,159 --> 00:03:37,200 interface 97 00:03:37,200 --> 00:03:38,319 show 98 00:03:38,319 --> 00:03:42,239 run not sure our show interface 99 00:03:42,799 --> 00:03:45,120 address 100 00:03:45,120 --> 00:03:47,840 and as you can see this is the ip 101 00:03:47,840 --> 00:03:49,040 address 102 00:03:49,040 --> 00:03:52,239 of the cisco router so yes the computer 103 00:03:52,239 --> 00:03:54,000 is supposed to have that one as a 104 00:03:54,000 --> 00:03:56,640 gateway not 254 105 00:03:56,640 --> 00:03:58,640 so let's go ahead and fix that on the 106 00:03:58,640 --> 00:04:03,120 computer we are just one step 107 00:04:03,519 --> 00:04:06,239 closer to the fixing the problem 108 00:04:06,239 --> 00:04:08,480 and let's do one 109 00:04:08,480 --> 00:04:10,319 now 110 00:04:10,319 --> 00:04:13,439 remember that one wasn't pingable from 111 00:04:13,439 --> 00:04:15,040 the computer 112 00:04:15,040 --> 00:04:17,040 and we want to find out why we cannot 113 00:04:17,040 --> 00:04:19,600 ping it should we pingable should it not 114 00:04:19,600 --> 00:04:22,000 and let's go ahead and check if there is 115 00:04:22,000 --> 00:04:25,280 any access list on the cisco router 116 00:04:25,280 --> 00:04:29,840 on the inside interface show run 117 00:04:30,479 --> 00:04:34,960 inside interface gear v3 and pipe in for 118 00:04:34,960 --> 00:04:37,360 the inboard and sure there is an access 119 00:04:37,360 --> 00:04:42,040 list and let's check what's inside 120 00:04:42,080 --> 00:04:46,440 okay we have permit ip192.168.3 121 00:04:47,040 --> 00:04:48,000 okay 122 00:04:48,000 --> 00:04:50,080 and slash24 123 00:04:50,080 --> 00:04:53,520 so the access list is not permitting our 124 00:04:53,520 --> 00:04:55,440 traffic coming from the computer because 125 00:04:55,440 --> 00:04:58,160 remember our ip address our subnet on 126 00:04:58,160 --> 00:04:59,600 the computer is 127 00:04:59,600 --> 00:05:02,600 192.168.1 128 00:05:02,639 --> 00:05:05,759 not three but one on the third octa and 129 00:05:05,759 --> 00:05:07,840 access list on the cisco hour is not 130 00:05:07,840 --> 00:05:09,520 having this dot 131 00:05:09,520 --> 00:05:13,680 one so let's go ahead and fix that 132 00:05:14,160 --> 00:05:16,639 we need to go into access list 133 00:05:16,639 --> 00:05:18,000 extend it 134 00:05:18,000 --> 00:05:21,120 inside by inbound and you know we know 135 00:05:21,120 --> 00:05:23,199 for sure that they're not there's not 136 00:05:23,199 --> 00:05:25,199 supposed to be the three 137 00:05:25,199 --> 00:05:27,680 network on this lan right so it's okay 138 00:05:27,680 --> 00:05:31,680 to remove this ip address and fix that 139 00:05:31,840 --> 00:05:36,759 node 20 and then permit ip192.168.1.0 140 00:05:38,560 --> 00:05:41,039 and 141 00:05:41,680 --> 00:05:43,680 any okay 142 00:05:43,680 --> 00:05:45,600 now it looks great 143 00:05:45,600 --> 00:05:49,800 let's see if we can ping the router 144 00:05:55,600 --> 00:05:57,759 okay we can ping the router 145 00:05:57,759 --> 00:05:59,440 great now let's check do we have the 146 00:05:59,440 --> 00:06:01,919 internet 147 00:06:03,360 --> 00:06:07,039 and no we don't okay 148 00:06:07,039 --> 00:06:08,319 let's see 149 00:06:08,319 --> 00:06:10,800 what else we are missing here do we have 150 00:06:10,800 --> 00:06:13,360 the route 151 00:06:13,360 --> 00:06:16,240 now actually let's make sure the cisco 152 00:06:16,240 --> 00:06:18,639 hour has the internet ping 153 00:06:18,639 --> 00:06:21,120 made updated 154 00:06:21,120 --> 00:06:23,840 doesn't have the internet let's fix that 155 00:06:23,840 --> 00:06:25,919 so what do you need on the router to 156 00:06:25,919 --> 00:06:27,680 have the internet you need the ip 157 00:06:27,680 --> 00:06:29,440 address you need the next hope which is 158 00:06:29,440 --> 00:06:31,600 that one and you need connection between 159 00:06:31,600 --> 00:06:33,520 isp and the router 160 00:06:33,520 --> 00:06:35,759 let's check what is the interface on the 161 00:06:35,759 --> 00:06:37,600 gear with one 162 00:06:37,600 --> 00:06:41,039 and what is the ip address here 163 00:06:46,080 --> 00:06:47,039 okay 164 00:06:47,039 --> 00:06:49,120 that's great now what's the gateway show 165 00:06:49,120 --> 00:06:51,199 ip route 166 00:06:51,199 --> 00:06:53,840 and our gateway is that three but 167 00:06:53,840 --> 00:06:54,960 remember 168 00:06:54,960 --> 00:06:57,360 our isp has that one not that three so 169 00:06:57,360 --> 00:06:59,840 let's go ahead and fix that too 170 00:06:59,840 --> 00:07:02,479 here's my route which i need to remove 171 00:07:02,479 --> 00:07:05,440 and add the new one 172 00:07:05,440 --> 00:07:07,680 now remember if you just add the route 173 00:07:07,680 --> 00:07:09,599 you'll have two routes it's not gonna 174 00:07:09,599 --> 00:07:11,199 replace even though it has the same 175 00:07:11,199 --> 00:07:13,599 destination it's not going to replace so 176 00:07:13,599 --> 00:07:16,240 you want to remove the old route and add 177 00:07:16,240 --> 00:07:18,880 the new one 178 00:07:20,319 --> 00:07:23,199 okay now we have the route and the 179 00:07:23,199 --> 00:07:25,280 routing table proper now let's see if we 180 00:07:25,280 --> 00:07:27,039 can ping the google 181 00:07:27,039 --> 00:07:28,319 ping 182 00:07:28,319 --> 00:07:30,000 from the cisco hour 183 00:07:30,000 --> 00:07:31,039 okay 184 00:07:31,039 --> 00:07:33,039 cisco router has the internet now let's 185 00:07:33,039 --> 00:07:35,039 come back on the computer and just see 186 00:07:35,039 --> 00:07:38,479 if computers also has the internet 187 00:07:38,479 --> 00:07:40,000 well no computer doesn't have the 188 00:07:40,000 --> 00:07:42,319 internet okay 189 00:07:42,319 --> 00:07:45,280 let's think what do we need to do what 190 00:07:45,280 --> 00:07:47,680 do we need to have on the cisco router 191 00:07:47,680 --> 00:07:50,240 to allow the internet to access uh from 192 00:07:50,240 --> 00:07:52,160 the computer 193 00:07:52,160 --> 00:07:53,840 so the computer can serve the internet 194 00:07:53,840 --> 00:07:56,720 sites websites okay so first 195 00:07:56,720 --> 00:07:58,960 the computer has the private ipads you 196 00:07:58,960 --> 00:08:01,759 see and the cisco router external 197 00:08:01,759 --> 00:08:04,560 interface is the public ip address so we 198 00:08:04,560 --> 00:08:07,360 want to translate our private ips subnet 199 00:08:07,360 --> 00:08:10,400 into a public iprs of the router and for 200 00:08:10,400 --> 00:08:12,720 that we need to do the net 201 00:08:12,720 --> 00:08:14,879 and let's make sure we have the nut 202 00:08:14,879 --> 00:08:17,599 translations on the cisco router so 203 00:08:17,599 --> 00:08:20,000 let's go ahead and try ping 204 00:08:20,000 --> 00:08:22,800 actually that's not 205 00:08:22,800 --> 00:08:26,160 let's ping and come back here and see 206 00:08:26,160 --> 00:08:30,240 if we have no translations 207 00:08:32,719 --> 00:08:36,959 and we have some not translations 208 00:08:38,959 --> 00:08:41,839 which is not our google ip addresses so 209 00:08:41,839 --> 00:08:43,200 let's clear up 210 00:08:43,200 --> 00:08:45,839 our ip not translations 211 00:08:45,839 --> 00:08:47,839 dynamic i believe here 212 00:08:47,839 --> 00:08:50,720 no just just everything 213 00:08:50,720 --> 00:08:53,600 okay show ipmap translations 214 00:08:53,600 --> 00:08:55,600 we don't have new translations that 215 00:08:55,600 --> 00:08:58,080 means cisco router is not translating 216 00:08:58,080 --> 00:09:00,880 our traffic from private subnet into 217 00:09:00,880 --> 00:09:02,160 public ip 218 00:09:02,160 --> 00:09:04,320 and let's troubleshoot that we need to 219 00:09:04,320 --> 00:09:06,480 have the configuration for that right so 220 00:09:06,480 --> 00:09:08,240 let's let's go ahead and do this show 221 00:09:08,240 --> 00:09:10,959 run defensive gear three and does it 222 00:09:10,959 --> 00:09:14,080 have the net configuration on the gearb3 223 00:09:14,080 --> 00:09:17,200 it does and it has not ip not inside 224 00:09:17,200 --> 00:09:18,720 that's great now 225 00:09:18,720 --> 00:09:20,720 inside interface is supposed to have ip 226 00:09:20,720 --> 00:09:23,519 not inside the outside default though 227 00:09:23,519 --> 00:09:26,000 supposed to have ip nut outside let's 228 00:09:26,000 --> 00:09:28,480 check that 229 00:09:31,279 --> 00:09:33,360 oh outside the face doesn't have ip not 230 00:09:33,360 --> 00:09:35,839 outside at all so let's go ahead and 231 00:09:35,839 --> 00:09:37,279 configure that 232 00:09:37,279 --> 00:09:39,360 ipnot outside 233 00:09:39,360 --> 00:09:40,959 and now 234 00:09:40,959 --> 00:09:44,560 we fixed not well at least partially on 235 00:09:44,560 --> 00:09:46,880 the cisco router now we know that the 236 00:09:46,880 --> 00:09:48,640 inside the face and outside the face 237 00:09:48,640 --> 00:09:51,440 they both have not configuration on them 238 00:09:51,440 --> 00:09:53,200 let's go ahead and check ipnot 239 00:09:53,200 --> 00:09:56,160 translation again 240 00:09:56,560 --> 00:09:59,519 all right we have some traffic here 241 00:09:59,519 --> 00:10:02,880 this is our ip address 242 00:10:02,880 --> 00:10:04,560 right right 243 00:10:04,560 --> 00:10:05,440 and 244 00:10:05,440 --> 00:10:07,680 this is what we are trying to ping 245 00:10:07,680 --> 00:10:09,600 and this is the icmp protocol and this 246 00:10:09,600 --> 00:10:13,040 is the ip address we are translated into 247 00:10:13,040 --> 00:10:15,360 so if we check this ip address on 248 00:10:15,360 --> 00:10:18,560 interface that's our ip address we know 249 00:10:18,560 --> 00:10:21,680 that cisco router translates the packet 250 00:10:21,680 --> 00:10:23,440 into public ip 251 00:10:23,440 --> 00:10:25,920 now what we need to do is we know 252 00:10:25,920 --> 00:10:28,079 traffic comes here on the router is 253 00:10:28,079 --> 00:10:30,000 translated and we need to make sure 254 00:10:30,000 --> 00:10:32,399 traffic can leave the interface now how 255 00:10:32,399 --> 00:10:33,760 do we check that 256 00:10:33,760 --> 00:10:34,640 well 257 00:10:34,640 --> 00:10:36,560 usually if you have the route and there 258 00:10:36,560 --> 00:10:38,399 is no restriction on the interface 259 00:10:38,399 --> 00:10:41,120 traffic leaves the interface so let's go 260 00:10:41,120 --> 00:10:43,680 ahead and check that do we have any 261 00:10:43,680 --> 00:10:45,360 access list 262 00:10:45,360 --> 00:10:46,560 we don't 263 00:10:46,560 --> 00:10:49,040 but do we want to put the access list to 264 00:10:49,040 --> 00:10:50,720 make sure traffic leaves the interface 265 00:10:50,720 --> 00:10:53,120 you know you can use probably packet 266 00:10:53,120 --> 00:10:54,959 capture if you know how to do that but 267 00:10:54,959 --> 00:10:57,760 if not what you can do is do a quick 268 00:10:57,760 --> 00:10:59,920 configuration show ip access list 269 00:10:59,920 --> 00:11:01,600 extended for example 270 00:11:01,600 --> 00:11:04,320 and match our traffic in our case 271 00:11:04,320 --> 00:11:07,839 let's say outside 272 00:11:07,839 --> 00:11:11,360 isp is going to be no i thought 273 00:11:11,360 --> 00:11:14,360 outside 274 00:11:15,120 --> 00:11:17,120 that's the access list name and permit 275 00:11:17,120 --> 00:11:20,079 our traffic what is our traffic ip host 276 00:11:20,079 --> 00:11:23,680 192 168.1.10 277 00:11:23,680 --> 00:11:24,959 into 278 00:11:24,959 --> 00:11:27,120 google dns 279 00:11:27,120 --> 00:11:30,560 and we want it to be icmp but ip will 280 00:11:30,560 --> 00:11:34,079 work for as well but let's do icmp only 281 00:11:34,079 --> 00:11:35,360 and 282 00:11:35,360 --> 00:11:36,160 now 283 00:11:36,160 --> 00:11:38,160 we want to assign this access list on 284 00:11:38,160 --> 00:11:40,880 the public interface but remember 285 00:11:40,880 --> 00:11:42,399 right now the interface doesn't have the 286 00:11:42,399 --> 00:11:44,160 access which means once you assign this 287 00:11:44,160 --> 00:11:46,399 access list you'll permit only the 288 00:11:46,399 --> 00:11:48,320 things you have in the access list and 289 00:11:48,320 --> 00:11:51,040 in our case that's only icmp packet 290 00:11:51,040 --> 00:11:52,480 coming from our computer going to the 291 00:11:52,480 --> 00:11:55,120 google but for the rest of the users 292 00:11:55,120 --> 00:11:57,279 we're gonna break the internet well if 293 00:11:57,279 --> 00:11:59,839 they have already so what we want to do 294 00:11:59,839 --> 00:12:02,480 is to add permit any any at the end of 295 00:12:02,480 --> 00:12:05,279 the access list 296 00:12:05,680 --> 00:12:07,839 which means if we assign this access 297 00:12:07,839 --> 00:12:10,399 list on the outbound interface 298 00:12:10,399 --> 00:12:12,639 for the outbound traffic 299 00:12:12,639 --> 00:12:14,959 we'll get the match here 300 00:12:14,959 --> 00:12:17,040 and hit count will increase if the 301 00:12:17,040 --> 00:12:19,519 packet leaves the router and for the 302 00:12:19,519 --> 00:12:21,279 rest of the traffic to not block them 303 00:12:21,279 --> 00:12:23,440 here's the permit ip and then so let's 304 00:12:23,440 --> 00:12:26,480 go ahead and do in gigabit estimate 305 00:12:26,480 --> 00:12:27,519 one 306 00:12:27,519 --> 00:12:29,440 ip access group 307 00:12:29,440 --> 00:12:32,240 outside outbound and 308 00:12:32,240 --> 00:12:35,680 outbound packets so we want to do out 309 00:12:35,680 --> 00:12:36,639 and 310 00:12:36,639 --> 00:12:39,360 now now you see there is a match 311 00:12:39,360 --> 00:12:41,360 on ipm en 312 00:12:41,360 --> 00:12:43,600 probably some kind of you know uh 313 00:12:43,600 --> 00:12:44,880 different traffic coming from the 314 00:12:44,880 --> 00:12:46,399 computer checking the updates or 315 00:12:46,399 --> 00:12:47,920 something like that but our traffic 316 00:12:47,920 --> 00:12:49,760 doesn't have the match let's generate 317 00:12:49,760 --> 00:12:52,639 the traffic on the computer 318 00:12:52,639 --> 00:12:54,639 this is our traffic 319 00:12:54,639 --> 00:12:56,959 one 320 00:12:57,120 --> 00:12:59,440 two 321 00:13:00,880 --> 00:13:01,920 okay 322 00:13:01,920 --> 00:13:04,240 and now let's check if we have the match 323 00:13:04,240 --> 00:13:07,680 on the access list 324 00:13:07,680 --> 00:13:10,320 we don't 325 00:13:10,800 --> 00:13:12,560 but that's weird 326 00:13:12,560 --> 00:13:15,519 isn't our ap address 327 00:13:15,519 --> 00:13:19,279 oh oh i'm sorry guys 328 00:13:19,279 --> 00:13:22,399 this ridiculous remember we translated 329 00:13:22,399 --> 00:13:25,200 traffic into public ip so there's no way 330 00:13:25,200 --> 00:13:28,480 to match the 192.168.1.10 331 00:13:28,480 --> 00:13:30,480 on the aggress interface so if we want 332 00:13:30,480 --> 00:13:32,639 to do something else 333 00:13:32,639 --> 00:13:37,440 let's go ahead and you know fix that 334 00:13:38,880 --> 00:13:40,399 we want to remove 335 00:13:40,399 --> 00:13:44,639 line 10 and add the new new line ip 336 00:13:44,639 --> 00:13:46,240 icmp 337 00:13:46,240 --> 00:13:47,279 host 338 00:13:47,279 --> 00:13:49,360 what's the our public ip address of the 339 00:13:49,360 --> 00:13:53,040 router it is 100 340 00:13:53,040 --> 00:13:55,519 that 100 i believe this is the ip 341 00:13:55,519 --> 00:13:56,800 address 342 00:13:56,800 --> 00:14:01,720 and then we are going to ping google dns 343 00:14:02,000 --> 00:14:05,760 here's the axle list now 344 00:14:06,800 --> 00:14:10,000 now we need to 345 00:14:10,480 --> 00:14:13,440 renumber this because it's incorrectly 346 00:14:13,440 --> 00:14:15,600 we want to have permit any at the end so 347 00:14:15,600 --> 00:14:20,399 remove 20 permit any any 348 00:14:20,959 --> 00:14:23,839 and now it's correct okay now let's ping 349 00:14:23,839 --> 00:14:25,199 and let's see 350 00:14:25,199 --> 00:14:27,040 if packet leaves the 351 00:14:27,040 --> 00:14:30,040 router 352 00:14:36,560 --> 00:14:39,839 we still don't have the match 353 00:14:39,839 --> 00:14:42,399 on the interface okay here's the match i 354 00:14:42,399 --> 00:14:44,720 was like what's going on 355 00:14:44,720 --> 00:14:46,560 so we have match 356 00:14:46,560 --> 00:14:49,199 and that confirms two things 357 00:14:49,199 --> 00:14:51,279 not two actually several 358 00:14:51,279 --> 00:14:53,199 we have the working gateway for the 359 00:14:53,199 --> 00:14:55,680 cisco router so traffic can leave the 360 00:14:55,680 --> 00:14:56,800 interface 361 00:14:56,800 --> 00:14:59,279 now because the match is for the public 362 00:14:59,279 --> 00:15:01,600 ip address we also know that the traffic 363 00:15:01,600 --> 00:15:03,600 is being translated so even if you 364 00:15:03,600 --> 00:15:05,600 didn't check the iphone translation this 365 00:15:05,600 --> 00:15:07,600 confirms that there was a translation 366 00:15:07,600 --> 00:15:09,760 and the private ipad is translated into 367 00:15:09,760 --> 00:15:13,199 public ipads and the third 368 00:15:13,199 --> 00:15:15,120 packet leaves the router 369 00:15:15,120 --> 00:15:16,079 okay 370 00:15:16,079 --> 00:15:16,880 now 371 00:15:16,880 --> 00:15:19,199 that's good it leaves the router is it 372 00:15:19,199 --> 00:15:20,639 coming back 373 00:15:20,639 --> 00:15:21,680 no 374 00:15:21,680 --> 00:15:24,880 it might be coming back or it it's my 375 00:15:24,880 --> 00:15:27,680 not coming back depends on the problems 376 00:15:27,680 --> 00:15:29,040 on the internet 377 00:15:29,040 --> 00:15:30,720 so since this video about the 378 00:15:30,720 --> 00:15:32,399 troubleshooting let's make sure the 379 00:15:32,399 --> 00:15:34,399 traffic is coming back 380 00:15:34,399 --> 00:15:36,880 and for that we again can capture the 381 00:15:36,880 --> 00:15:38,959 traffic or we can assign the similar 382 00:15:38,959 --> 00:15:43,120 access list on the inbound traffic 383 00:15:44,959 --> 00:15:48,480 extend it and that would be outside 384 00:15:48,480 --> 00:15:50,240 inbound 385 00:15:50,240 --> 00:15:53,120 and now what do we want to match here 386 00:15:53,120 --> 00:15:55,600 we won't match google dns as a source 387 00:15:55,600 --> 00:15:57,199 because remember 388 00:15:57,199 --> 00:15:59,680 answer is coming from google now 389 00:15:59,680 --> 00:16:01,920 and we want to do 390 00:16:01,920 --> 00:16:04,639 destination is going to be our ip 391 00:16:04,639 --> 00:16:07,120 address on the public interface on the 392 00:16:07,120 --> 00:16:08,959 outside interface 393 00:16:08,959 --> 00:16:10,880 and the protocol is icmp 394 00:16:10,880 --> 00:16:12,320 also you can use 395 00:16:12,320 --> 00:16:14,800 echo reply if you want 396 00:16:14,800 --> 00:16:17,120 not necessary for this purpose but you 397 00:16:17,120 --> 00:16:19,279 can because 398 00:16:19,279 --> 00:16:22,399 like if you are troubleshooting with 399 00:16:22,399 --> 00:16:24,800 someone else on the other side and they 400 00:16:24,800 --> 00:16:26,959 are pinging your ip address as well you 401 00:16:26,959 --> 00:16:28,880 might want to add echo reply to make 402 00:16:28,880 --> 00:16:31,360 sure this is your reply not their ping 403 00:16:31,360 --> 00:16:33,759 but google is not going to ping us so 404 00:16:33,759 --> 00:16:35,519 it's okay to not 405 00:16:35,519 --> 00:16:38,720 put the echo reply any any icmp we match 406 00:16:38,720 --> 00:16:40,959 here we know it's our reply from google 407 00:16:40,959 --> 00:16:42,160 dns 408 00:16:42,160 --> 00:16:44,639 and now let's permit any any because we 409 00:16:44,639 --> 00:16:46,560 don't want to block any other traffic on 410 00:16:46,560 --> 00:16:48,560 the interface because right now there is 411 00:16:48,560 --> 00:16:50,480 no access to the game there is no access 412 00:16:50,480 --> 00:16:52,720 list and if we assign the axle list 413 00:16:52,720 --> 00:16:55,040 we'll block everything that is not 414 00:16:55,040 --> 00:16:57,279 permitted on the access list 415 00:16:57,279 --> 00:16:59,920 so let's go ahead and configure the 416 00:16:59,920 --> 00:17:02,240 internet gigabyte 417 00:17:02,240 --> 00:17:04,480 gigabit ethernet one 418 00:17:04,480 --> 00:17:08,799 ip access list not access access group 419 00:17:08,799 --> 00:17:09,919 and 420 00:17:09,919 --> 00:17:12,000 here we use inbound 421 00:17:12,000 --> 00:17:13,600 okay in 422 00:17:13,600 --> 00:17:15,360 now 423 00:17:15,360 --> 00:17:18,000 let's check what match do we have on the 424 00:17:18,000 --> 00:17:21,600 interface for inbound traffic 425 00:17:21,600 --> 00:17:25,520 is there any reply from google 426 00:17:30,720 --> 00:17:32,960 and there is reply 427 00:17:32,960 --> 00:17:35,600 so we know now that the traffic not only 428 00:17:35,600 --> 00:17:37,760 leaves the router but it's also coming 429 00:17:37,760 --> 00:17:40,160 back from google so internet in between 430 00:17:40,160 --> 00:17:43,440 google dns and our isp is okay we 431 00:17:43,440 --> 00:17:45,440 receive the traffic but 432 00:17:45,440 --> 00:17:47,760 computers still cannot ping that 433 00:17:47,760 --> 00:17:49,200 how come 434 00:17:49,200 --> 00:17:51,919 we need the ping on the computer 435 00:17:51,919 --> 00:17:54,160 so what else are left 436 00:17:54,160 --> 00:17:56,720 when traffic comes back 437 00:17:56,720 --> 00:17:58,000 to the router 438 00:17:58,000 --> 00:18:01,840 let me try to draw it here 439 00:18:07,679 --> 00:18:09,039 where traffic 440 00:18:09,039 --> 00:18:11,919 lives okay we we have this traffic it 441 00:18:11,919 --> 00:18:14,480 left the router 442 00:18:14,480 --> 00:18:17,840 went to dsp not sp google dns 443 00:18:17,840 --> 00:18:20,000 and coming back and it comes here we 444 00:18:20,000 --> 00:18:23,360 have this match on this interface now 445 00:18:23,360 --> 00:18:25,679 what's supposed to happen well nat will 446 00:18:25,679 --> 00:18:28,080 catch the traffic will check the port 447 00:18:28,080 --> 00:18:30,160 translations and we'll figure out okay 448 00:18:30,160 --> 00:18:32,320 that's the returning traffic for this 449 00:18:32,320 --> 00:18:33,760 ping this guy is pinging from the 450 00:18:33,760 --> 00:18:37,120 windows 7 machine and now this packet 451 00:18:37,120 --> 00:18:38,400 sorry 452 00:18:38,400 --> 00:18:40,320 now this package supposed to leave this 453 00:18:40,320 --> 00:18:42,400 interface 454 00:18:42,400 --> 00:18:44,000 okay to 455 00:18:44,000 --> 00:18:45,760 to be delivered to the 456 00:18:45,760 --> 00:18:48,080 computer and let's make sure that is 457 00:18:48,080 --> 00:18:49,679 happening 458 00:18:49,679 --> 00:18:51,200 for that 459 00:18:51,200 --> 00:18:54,320 what we are going to do is 460 00:18:54,320 --> 00:18:57,559 we are 461 00:18:58,559 --> 00:19:00,400 for that we are going to check if the 462 00:19:00,400 --> 00:19:03,200 traffic leaves the cisco router 463 00:19:03,200 --> 00:19:05,600 again this is the same as we did on the 464 00:19:05,600 --> 00:19:07,200 outside interface you can capture 465 00:19:07,200 --> 00:19:08,880 traffic if you know how to capture if 466 00:19:08,880 --> 00:19:11,360 not you can assign the interface on the 467 00:19:11,360 --> 00:19:13,440 address let's first make sure there is 468 00:19:13,440 --> 00:19:17,200 no access list on the router 469 00:19:19,039 --> 00:19:22,400 and let's do out 470 00:19:22,400 --> 00:19:25,360 there is an access list okay 471 00:19:25,360 --> 00:19:27,520 now let's check what this access list 472 00:19:27,520 --> 00:19:30,080 has in it 473 00:19:30,799 --> 00:19:33,520 does it have any match 474 00:19:33,520 --> 00:19:36,799 and it doesn't but look at this 475 00:19:36,799 --> 00:19:39,280 this subnet is not what we are expecting 476 00:19:39,280 --> 00:19:43,280 to have because remember our subnet is 477 00:19:43,280 --> 00:19:44,520 192 478 00:19:44,520 --> 00:19:46,080 161.10 479 00:19:46,080 --> 00:19:49,200 and here we see two so again the subnet 480 00:19:49,200 --> 00:19:51,120 on the axle is wrong 481 00:19:51,120 --> 00:19:55,160 let's try and fix that 482 00:20:06,559 --> 00:20:08,640 now it's correct 483 00:20:08,640 --> 00:20:09,520 so 484 00:20:09,520 --> 00:20:12,080 remember the traffic leaves the router 485 00:20:12,080 --> 00:20:15,520 so the source here is going to be any in 486 00:20:15,520 --> 00:20:17,600 our case it's google dns and destination 487 00:20:17,600 --> 00:20:20,400 is our computer so the access list order 488 00:20:20,400 --> 00:20:23,360 like from any tool subnet is correct 489 00:20:23,360 --> 00:20:28,080 and let's see if we can finally ping it 490 00:20:29,200 --> 00:20:31,280 we still cannot bring it 491 00:20:31,280 --> 00:20:32,320 wow 492 00:20:32,320 --> 00:20:34,400 let's see what's going on 493 00:20:34,400 --> 00:20:37,679 is it leaving the interface 494 00:20:41,440 --> 00:20:42,960 it is actually 495 00:20:42,960 --> 00:20:44,159 it's my bad 496 00:20:44,159 --> 00:20:45,200 i did 497 00:20:45,200 --> 00:20:46,799 two again 498 00:20:46,799 --> 00:20:49,919 okay this is wrong 499 00:20:49,919 --> 00:20:52,159 ah 500 00:20:52,799 --> 00:20:56,320 this is what happened when you rush 501 00:20:57,360 --> 00:20:59,520 and 502 00:20:59,520 --> 00:21:02,000 actually turn 503 00:21:02,000 --> 00:21:03,760 and 504 00:21:03,760 --> 00:21:05,760 then we need to do 505 00:21:05,760 --> 00:21:06,799 one 506 00:21:06,799 --> 00:21:09,520 yeah once you remove the all lines from 507 00:21:09,520 --> 00:21:11,120 the axles that actually doesn't work 508 00:21:11,120 --> 00:21:13,200 anymore so there's no denying any at the 509 00:21:13,200 --> 00:21:16,080 end if there's no any line in the axis 510 00:21:16,080 --> 00:21:16,960 so 511 00:21:16,960 --> 00:21:19,360 as soon as we removed 10 we start 512 00:21:19,360 --> 00:21:21,679 pinging it and now and then we added 513 00:21:21,679 --> 00:21:23,760 correct line here 514 00:21:23,760 --> 00:21:26,960 and we can still ping it 515 00:21:26,960 --> 00:21:29,120 and we have hit counts 516 00:21:29,120 --> 00:21:32,080 so this is how you troubleshoot simple 517 00:21:32,080 --> 00:21:33,840 basic cisco network 518 00:21:33,840 --> 00:21:35,679 not only cisco network pretty much any 519 00:21:35,679 --> 00:21:38,000 network you need to know what your 520 00:21:38,000 --> 00:21:39,520 troubleshooting you need to know how 521 00:21:39,520 --> 00:21:41,039 traffic goes 522 00:21:41,039 --> 00:21:42,559 what gateway are you supposed to have on 523 00:21:42,559 --> 00:21:44,400 the computer you need to know all the 524 00:21:44,400 --> 00:21:46,559 things to troubleshoot and 525 00:21:46,559 --> 00:21:49,039 after some several months or years you 526 00:21:49,039 --> 00:21:50,880 have the enough experience to skip some 527 00:21:50,880 --> 00:21:52,559 of the steps for example you might know 528 00:21:52,559 --> 00:21:54,400 the gateway 529 00:21:54,400 --> 00:21:56,880 on the router is correct because you 530 00:21:56,880 --> 00:21:58,880 connected to the router remotely and 531 00:21:58,880 --> 00:22:01,039 from the internet so the router most 532 00:22:01,039 --> 00:22:03,520 likely has the default gateway or you 533 00:22:03,520 --> 00:22:05,039 might know that the 534 00:22:05,039 --> 00:22:07,520 the access is not supposed to be checked 535 00:22:07,520 --> 00:22:09,280 on the inside device because user told 536 00:22:09,280 --> 00:22:11,760 you that they can ping the ip address of 537 00:22:11,760 --> 00:22:14,400 the gateway 538 00:22:14,400 --> 00:22:17,120 so many many things can be skipped based 539 00:22:17,120 --> 00:22:19,360 on your experience but this is from 540 00:22:19,360 --> 00:22:21,760 starting to the end you check from the 541 00:22:21,760 --> 00:22:24,159 beginning where you have the problem you 542 00:22:24,159 --> 00:22:26,559 don't check at the end if the cisco has 543 00:22:26,559 --> 00:22:28,400 the internet first you make sure you 544 00:22:28,400 --> 00:22:31,840 have everything you need to leave the uh 545 00:22:31,840 --> 00:22:34,640 area to leave the subnet now let's see 546 00:22:34,640 --> 00:22:37,600 if you can paint google the google 547 00:22:37,600 --> 00:22:38,880 website 548 00:22:38,880 --> 00:22:40,960 directly using dns 549 00:22:40,960 --> 00:22:43,360 and we can ping so if i go 550 00:22:43,360 --> 00:22:45,919 on the browser here i'll try to open the 551 00:22:45,919 --> 00:22:47,760 google website 552 00:22:47,760 --> 00:22:51,200 i should be able to open it 553 00:22:52,000 --> 00:22:53,440 and sure enough 554 00:22:53,440 --> 00:22:56,080 i can open it and it works 555 00:22:56,080 --> 00:22:57,840 perfect 556 00:22:57,840 --> 00:23:00,480 i hope this was useful for you guys and 557 00:23:00,480 --> 00:23:02,400 at some point you'll use it 558 00:23:02,400 --> 00:23:03,520 that's it 559 00:23:03,520 --> 00:23:05,600 so guys if you like this videos please 560 00:23:05,600 --> 00:23:07,760 like the video and hit the subscribe 561 00:23:07,760 --> 00:23:09,840 button if you want to see more videos 562 00:23:09,840 --> 00:23:12,320 like this also i'm looking for an ideas 563 00:23:12,320 --> 00:23:14,080 what kind of videos to create so if you 564 00:23:14,080 --> 00:23:16,000 have any idea and you're looking for 565 00:23:16,000 --> 00:23:18,559 some kind of configuration on the cisco 566 00:23:18,559 --> 00:23:19,520 or 567 00:23:19,520 --> 00:23:21,360 similar network you can put in the 568 00:23:21,360 --> 00:23:23,120 comments what do you want to see in the 569 00:23:23,120 --> 00:23:25,280 next video thanks for watching and have 570 00:23:25,280 --> 00:23:28,520 a good one 571 00:23:36,240 --> 00:23:38,320 you