WEBVTT 00:00:01.040 --> 00:00:03.199 hello guys welcome back my name is david 00:00:03.199 --> 00:00:04.799 and today we are going to troubleshoot 00:00:04.799 --> 00:00:07.839 simple cisco network so what i mean is i 00:00:07.839 --> 00:00:10.480 have one com one computer and one router 00:00:10.480 --> 00:00:12.559 this router was configured to pass the 00:00:12.559 --> 00:00:14.880 traffic to translate this traffic into a 00:00:14.880 --> 00:00:17.760 public ip so the computer can surf the 00:00:17.760 --> 00:00:19.760 internet now what i did i broke the 00:00:19.760 --> 00:00:21.840 configuration in several places and we 00:00:21.840 --> 00:00:24.480 are going to start from beginning to the 00:00:24.480 --> 00:00:26.800 end we'll find all the problems and try 00:00:26.800 --> 00:00:31.240 to fix that stay with me 00:00:32.399 --> 00:00:35.520 okay let's start this is my computer 00:00:35.520 --> 00:00:37.120 this comes supposed to have the ip 00:00:37.120 --> 00:00:39.840 address and dns iprs right and the 00:00:39.840 --> 00:00:41.760 gateway of course then traffic comes 00:00:41.760 --> 00:00:44.079 here on the cisco router and then from 00:00:44.079 --> 00:00:46.079 the router it goes to the internet 00:00:46.079 --> 00:00:47.520 but here 00:00:47.520 --> 00:00:49.600 we need to do net right network address 00:00:49.600 --> 00:00:52.960 translations so let's start and find all 00:00:52.960 --> 00:00:54.559 the problems i caused in the 00:00:54.559 --> 00:00:56.160 configuration 00:00:56.160 --> 00:00:58.719 so in order for the traffic to leave the 00:00:58.719 --> 00:01:00.719 computer computer is supposed to have 00:01:00.719 --> 00:01:02.640 the ipad so let's make sure the computer 00:01:02.640 --> 00:01:05.600 has the ip address 00:01:06.400 --> 00:01:08.960 and when we say let's make sure computer 00:01:08.960 --> 00:01:11.520 has the ip address 00:01:11.520 --> 00:01:14.799 let's test the actual status of the ip 00:01:14.799 --> 00:01:16.799 address not the configuration and what i 00:01:16.799 --> 00:01:18.560 mean by that is 00:01:18.560 --> 00:01:20.960 you can go into a configuration and make 00:01:20.960 --> 00:01:22.799 sure the configuration is there by 00:01:22.799 --> 00:01:24.400 clicking this button 00:01:24.400 --> 00:01:26.720 but that's not the way i want you to 00:01:26.720 --> 00:01:28.560 test it i want to test it 00:01:28.560 --> 00:01:30.640 the actual status of the configuration 00:01:30.640 --> 00:01:32.799 that means you can either click here 00:01:32.799 --> 00:01:33.840 details 00:01:33.840 --> 00:01:36.079 or in the cli 00:01:36.079 --> 00:01:37.759 now what's the difference you must say 00:01:37.759 --> 00:01:39.759 the difference is that sometimes when 00:01:39.759 --> 00:01:41.680 you configure the ip address windows is 00:01:41.680 --> 00:01:43.600 not taking this ip address for some 00:01:43.600 --> 00:01:44.799 reason 00:01:44.799 --> 00:01:47.040 there can be many many reasons but the 00:01:47.040 --> 00:01:49.600 configuration doesn't always work so 00:01:49.600 --> 00:01:51.119 when you check the configuration on the 00:01:51.119 --> 00:01:53.119 ip address it's not necessary the 00:01:53.119 --> 00:01:55.119 computer is using that ipr so what we 00:01:55.119 --> 00:01:56.960 want to do we want to check the actual 00:01:56.960 --> 00:01:59.920 status of this configuration okay so 00:01:59.920 --> 00:02:02.079 let's see what we have we have the ip 00:02:02.079 --> 00:02:04.159 address here as you can see 00:02:04.159 --> 00:02:06.159 and we have the gateway so we know the 00:02:06.159 --> 00:02:08.399 ip address is there and probably the 00:02:08.399 --> 00:02:10.560 ipaddress works we can ping the ip 00:02:10.560 --> 00:02:12.080 address itself 00:02:12.080 --> 00:02:14.319 and 00:02:14.319 --> 00:02:17.200 yes well ipstac tcp stack works on the 00:02:17.200 --> 00:02:19.280 computer that's good so now let's test 00:02:19.280 --> 00:02:21.280 the gateway make sure the gateway works 00:02:21.280 --> 00:02:22.879 here's the gateway 00:02:22.879 --> 00:02:25.200 and we want to ping that gateway to make 00:02:25.200 --> 00:02:28.400 sure the gateway is on the network 00:02:28.400 --> 00:02:30.480 now you might already see that gateway 00:02:30.480 --> 00:02:32.720 is that one on the topology so the 00:02:32.720 --> 00:02:34.480 gateway is wrong but let's try and ping 00:02:34.480 --> 00:02:35.440 it 00:02:35.440 --> 00:02:39.519 ping 192 168.1.254 00:02:39.519 --> 00:02:42.000 and the gateway is not pingable and how 00:02:42.000 --> 00:02:43.840 do let's say we don't know the if the 00:02:43.840 --> 00:02:45.680 gateway is correct or not 00:02:45.680 --> 00:02:47.840 or we know the gateway is correct but we 00:02:47.840 --> 00:02:50.560 are not sure why we don't ping it ping 00:02:50.560 --> 00:02:53.200 could could be closed nobody close icmp 00:02:53.200 --> 00:02:55.280 on the gateway but let's say it's closed 00:02:55.280 --> 00:02:57.519 you want to make sure the gateway is on 00:02:57.519 --> 00:02:59.280 the network and for that we can check 00:02:59.280 --> 00:03:01.680 the r and let's go ahead on the windows 00:03:01.680 --> 00:03:03.519 machine type r 00:03:03.519 --> 00:03:05.040 iphone a 00:03:05.040 --> 00:03:06.800 and this will show you arp cache and you 00:03:06.800 --> 00:03:08.640 know the ip address mapped to the macro 00:03:08.640 --> 00:03:11.599 so let's see if we have 254 here in the 00:03:11.599 --> 00:03:14.080 arc cache and we don't have it 00:03:14.080 --> 00:03:16.640 but we have that one 00:03:16.640 --> 00:03:20.720 and let's try and think it dot one 00:03:21.680 --> 00:03:24.959 it's not pingable that's weird but well 00:03:24.959 --> 00:03:26.799 at least we know it's that one but let's 00:03:26.799 --> 00:03:29.599 go ahead and change that one 00:03:29.599 --> 00:03:31.680 you know what we have the cisco router 00:03:31.680 --> 00:03:34.560 and we have the interface g3 w3 and 00:03:34.560 --> 00:03:36.159 let's see what's the ipad address on the 00:03:36.159 --> 00:03:37.200 interface 00:03:37.200 --> 00:03:38.319 show 00:03:38.319 --> 00:03:42.239 run not sure our show interface 00:03:42.799 --> 00:03:45.120 address 00:03:45.120 --> 00:03:47.840 and as you can see this is the ip 00:03:47.840 --> 00:03:49.040 address 00:03:49.040 --> 00:03:52.239 of the cisco router so yes the computer 00:03:52.239 --> 00:03:54.000 is supposed to have that one as a 00:03:54.000 --> 00:03:56.640 gateway not 254 00:03:56.640 --> 00:03:58.640 so let's go ahead and fix that on the 00:03:58.640 --> 00:04:03.120 computer we are just one step 00:04:03.519 --> 00:04:06.239 closer to the fixing the problem 00:04:06.239 --> 00:04:08.480 and let's do one 00:04:08.480 --> 00:04:10.319 now 00:04:10.319 --> 00:04:13.439 remember that one wasn't pingable from 00:04:13.439 --> 00:04:15.040 the computer 00:04:15.040 --> 00:04:17.040 and we want to find out why we cannot 00:04:17.040 --> 00:04:19.600 ping it should we pingable should it not 00:04:19.600 --> 00:04:22.000 and let's go ahead and check if there is 00:04:22.000 --> 00:04:25.280 any access list on the cisco router 00:04:25.280 --> 00:04:29.840 on the inside interface show run 00:04:30.479 --> 00:04:34.960 inside interface gear v3 and pipe in for 00:04:34.960 --> 00:04:37.360 the inboard and sure there is an access 00:04:37.360 --> 00:04:42.040 list and let's check what's inside 00:04:42.080 --> 00:04:46.440 okay we have permit ip192.168.3 00:04:47.040 --> 00:04:48.000 okay 00:04:48.000 --> 00:04:50.080 and slash24 00:04:50.080 --> 00:04:53.520 so the access list is not permitting our 00:04:53.520 --> 00:04:55.440 traffic coming from the computer because 00:04:55.440 --> 00:04:58.160 remember our ip address our subnet on 00:04:58.160 --> 00:04:59.600 the computer is 00:04:59.600 --> 00:05:02.600 192.168.1 00:05:02.639 --> 00:05:05.759 not three but one on the third octa and 00:05:05.759 --> 00:05:07.840 access list on the cisco hour is not 00:05:07.840 --> 00:05:09.520 having this dot 00:05:09.520 --> 00:05:13.680 one so let's go ahead and fix that 00:05:14.160 --> 00:05:16.639 we need to go into access list 00:05:16.639 --> 00:05:18.000 extend it 00:05:18.000 --> 00:05:21.120 inside by inbound and you know we know 00:05:21.120 --> 00:05:23.199 for sure that they're not there's not 00:05:23.199 --> 00:05:25.199 supposed to be the three 00:05:25.199 --> 00:05:27.680 network on this lan right so it's okay 00:05:27.680 --> 00:05:31.680 to remove this ip address and fix that 00:05:31.840 --> 00:05:36.759 node 20 and then permit ip192.168.1.0 00:05:38.560 --> 00:05:41.039 and 00:05:41.680 --> 00:05:43.680 any okay 00:05:43.680 --> 00:05:45.600 now it looks great 00:05:45.600 --> 00:05:49.800 let's see if we can ping the router 00:05:55.600 --> 00:05:57.759 okay we can ping the router 00:05:57.759 --> 00:05:59.440 great now let's check do we have the 00:05:59.440 --> 00:06:01.919 internet 00:06:03.360 --> 00:06:07.039 and no we don't okay 00:06:07.039 --> 00:06:08.319 let's see 00:06:08.319 --> 00:06:10.800 what else we are missing here do we have 00:06:10.800 --> 00:06:13.360 the route 00:06:13.360 --> 00:06:16.240 now actually let's make sure the cisco 00:06:16.240 --> 00:06:18.639 hour has the internet ping 00:06:18.639 --> 00:06:21.120 made updated 00:06:21.120 --> 00:06:23.840 doesn't have the internet let's fix that 00:06:23.840 --> 00:06:25.919 so what do you need on the router to 00:06:25.919 --> 00:06:27.680 have the internet you need the ip 00:06:27.680 --> 00:06:29.440 address you need the next hope which is 00:06:29.440 --> 00:06:31.600 that one and you need connection between 00:06:31.600 --> 00:06:33.520 isp and the router 00:06:33.520 --> 00:06:35.759 let's check what is the interface on the 00:06:35.759 --> 00:06:37.600 gear with one 00:06:37.600 --> 00:06:41.039 and what is the ip address here 00:06:46.080 --> 00:06:47.039 okay 00:06:47.039 --> 00:06:49.120 that's great now what's the gateway show 00:06:49.120 --> 00:06:51.199 ip route 00:06:51.199 --> 00:06:53.840 and our gateway is that three but 00:06:53.840 --> 00:06:54.960 remember 00:06:54.960 --> 00:06:57.360 our isp has that one not that three so 00:06:57.360 --> 00:06:59.840 let's go ahead and fix that too 00:06:59.840 --> 00:07:02.479 here's my route which i need to remove 00:07:02.479 --> 00:07:05.440 and add the new one 00:07:05.440 --> 00:07:07.680 now remember if you just add the route 00:07:07.680 --> 00:07:09.599 you'll have two routes it's not gonna 00:07:09.599 --> 00:07:11.199 replace even though it has the same 00:07:11.199 --> 00:07:13.599 destination it's not going to replace so 00:07:13.599 --> 00:07:16.240 you want to remove the old route and add 00:07:16.240 --> 00:07:18.880 the new one 00:07:20.319 --> 00:07:23.199 okay now we have the route and the 00:07:23.199 --> 00:07:25.280 routing table proper now let's see if we 00:07:25.280 --> 00:07:27.039 can ping the google 00:07:27.039 --> 00:07:28.319 ping 00:07:28.319 --> 00:07:30.000 from the cisco hour 00:07:30.000 --> 00:07:31.039 okay 00:07:31.039 --> 00:07:33.039 cisco router has the internet now let's 00:07:33.039 --> 00:07:35.039 come back on the computer and just see 00:07:35.039 --> 00:07:38.479 if computers also has the internet 00:07:38.479 --> 00:07:40.000 well no computer doesn't have the 00:07:40.000 --> 00:07:42.319 internet okay 00:07:42.319 --> 00:07:45.280 let's think what do we need to do what 00:07:45.280 --> 00:07:47.680 do we need to have on the cisco router 00:07:47.680 --> 00:07:50.240 to allow the internet to access uh from 00:07:50.240 --> 00:07:52.160 the computer 00:07:52.160 --> 00:07:53.840 so the computer can serve the internet 00:07:53.840 --> 00:07:56.720 sites websites okay so first 00:07:56.720 --> 00:07:58.960 the computer has the private ipads you 00:07:58.960 --> 00:08:01.759 see and the cisco router external 00:08:01.759 --> 00:08:04.560 interface is the public ip address so we 00:08:04.560 --> 00:08:07.360 want to translate our private ips subnet 00:08:07.360 --> 00:08:10.400 into a public iprs of the router and for 00:08:10.400 --> 00:08:12.720 that we need to do the net 00:08:12.720 --> 00:08:14.879 and let's make sure we have the nut 00:08:14.879 --> 00:08:17.599 translations on the cisco router so 00:08:17.599 --> 00:08:20.000 let's go ahead and try ping 00:08:20.000 --> 00:08:22.800 actually that's not 00:08:22.800 --> 00:08:26.160 let's ping and come back here and see 00:08:26.160 --> 00:08:30.240 if we have no translations 00:08:32.719 --> 00:08:36.959 and we have some not translations 00:08:38.959 --> 00:08:41.839 which is not our google ip addresses so 00:08:41.839 --> 00:08:43.200 let's clear up 00:08:43.200 --> 00:08:45.839 our ip not translations 00:08:45.839 --> 00:08:47.839 dynamic i believe here 00:08:47.839 --> 00:08:50.720 no just just everything 00:08:50.720 --> 00:08:53.600 okay show ipmap translations 00:08:53.600 --> 00:08:55.600 we don't have new translations that 00:08:55.600 --> 00:08:58.080 means cisco router is not translating 00:08:58.080 --> 00:09:00.880 our traffic from private subnet into 00:09:00.880 --> 00:09:02.160 public ip 00:09:02.160 --> 00:09:04.320 and let's troubleshoot that we need to 00:09:04.320 --> 00:09:06.480 have the configuration for that right so 00:09:06.480 --> 00:09:08.240 let's let's go ahead and do this show 00:09:08.240 --> 00:09:10.959 run defensive gear three and does it 00:09:10.959 --> 00:09:14.080 have the net configuration on the gearb3 00:09:14.080 --> 00:09:17.200 it does and it has not ip not inside 00:09:17.200 --> 00:09:18.720 that's great now 00:09:18.720 --> 00:09:20.720 inside interface is supposed to have ip 00:09:20.720 --> 00:09:23.519 not inside the outside default though 00:09:23.519 --> 00:09:26.000 supposed to have ip nut outside let's 00:09:26.000 --> 00:09:28.480 check that 00:09:31.279 --> 00:09:33.360 oh outside the face doesn't have ip not 00:09:33.360 --> 00:09:35.839 outside at all so let's go ahead and 00:09:35.839 --> 00:09:37.279 configure that 00:09:37.279 --> 00:09:39.360 ipnot outside 00:09:39.360 --> 00:09:40.959 and now 00:09:40.959 --> 00:09:44.560 we fixed not well at least partially on 00:09:44.560 --> 00:09:46.880 the cisco router now we know that the 00:09:46.880 --> 00:09:48.640 inside the face and outside the face 00:09:48.640 --> 00:09:51.440 they both have not configuration on them 00:09:51.440 --> 00:09:53.200 let's go ahead and check ipnot 00:09:53.200 --> 00:09:56.160 translation again 00:09:56.560 --> 00:09:59.519 all right we have some traffic here 00:09:59.519 --> 00:10:02.880 this is our ip address 00:10:02.880 --> 00:10:04.560 right right 00:10:04.560 --> 00:10:05.440 and 00:10:05.440 --> 00:10:07.680 this is what we are trying to ping 00:10:07.680 --> 00:10:09.600 and this is the icmp protocol and this 00:10:09.600 --> 00:10:13.040 is the ip address we are translated into 00:10:13.040 --> 00:10:15.360 so if we check this ip address on 00:10:15.360 --> 00:10:18.560 interface that's our ip address we know 00:10:18.560 --> 00:10:21.680 that cisco router translates the packet 00:10:21.680 --> 00:10:23.440 into public ip 00:10:23.440 --> 00:10:25.920 now what we need to do is we know 00:10:25.920 --> 00:10:28.079 traffic comes here on the router is 00:10:28.079 --> 00:10:30.000 translated and we need to make sure 00:10:30.000 --> 00:10:32.399 traffic can leave the interface now how 00:10:32.399 --> 00:10:33.760 do we check that 00:10:33.760 --> 00:10:34.640 well 00:10:34.640 --> 00:10:36.560 usually if you have the route and there 00:10:36.560 --> 00:10:38.399 is no restriction on the interface 00:10:38.399 --> 00:10:41.120 traffic leaves the interface so let's go 00:10:41.120 --> 00:10:43.680 ahead and check that do we have any 00:10:43.680 --> 00:10:45.360 access list 00:10:45.360 --> 00:10:46.560 we don't 00:10:46.560 --> 00:10:49.040 but do we want to put the access list to 00:10:49.040 --> 00:10:50.720 make sure traffic leaves the interface 00:10:50.720 --> 00:10:53.120 you know you can use probably packet 00:10:53.120 --> 00:10:54.959 capture if you know how to do that but 00:10:54.959 --> 00:10:57.760 if not what you can do is do a quick 00:10:57.760 --> 00:10:59.920 configuration show ip access list 00:10:59.920 --> 00:11:01.600 extended for example 00:11:01.600 --> 00:11:04.320 and match our traffic in our case 00:11:04.320 --> 00:11:07.839 let's say outside 00:11:07.839 --> 00:11:11.360 isp is going to be no i thought 00:11:11.360 --> 00:11:14.360 outside 00:11:15.120 --> 00:11:17.120 that's the access list name and permit 00:11:17.120 --> 00:11:20.079 our traffic what is our traffic ip host 00:11:20.079 --> 00:11:23.680 192 168.1.10 00:11:23.680 --> 00:11:24.959 into 00:11:24.959 --> 00:11:27.120 google dns 00:11:27.120 --> 00:11:30.560 and we want it to be icmp but ip will 00:11:30.560 --> 00:11:34.079 work for as well but let's do icmp only 00:11:34.079 --> 00:11:35.360 and 00:11:35.360 --> 00:11:36.160 now 00:11:36.160 --> 00:11:38.160 we want to assign this access list on 00:11:38.160 --> 00:11:40.880 the public interface but remember 00:11:40.880 --> 00:11:42.399 right now the interface doesn't have the 00:11:42.399 --> 00:11:44.160 access which means once you assign this 00:11:44.160 --> 00:11:46.399 access list you'll permit only the 00:11:46.399 --> 00:11:48.320 things you have in the access list and 00:11:48.320 --> 00:11:51.040 in our case that's only icmp packet 00:11:51.040 --> 00:11:52.480 coming from our computer going to the 00:11:52.480 --> 00:11:55.120 google but for the rest of the users 00:11:55.120 --> 00:11:57.279 we're gonna break the internet well if 00:11:57.279 --> 00:11:59.839 they have already so what we want to do 00:11:59.839 --> 00:12:02.480 is to add permit any any at the end of 00:12:02.480 --> 00:12:05.279 the access list 00:12:05.680 --> 00:12:07.839 which means if we assign this access 00:12:07.839 --> 00:12:10.399 list on the outbound interface 00:12:10.399 --> 00:12:12.639 for the outbound traffic 00:12:12.639 --> 00:12:14.959 we'll get the match here 00:12:14.959 --> 00:12:17.040 and hit count will increase if the 00:12:17.040 --> 00:12:19.519 packet leaves the router and for the 00:12:19.519 --> 00:12:21.279 rest of the traffic to not block them 00:12:21.279 --> 00:12:23.440 here's the permit ip and then so let's 00:12:23.440 --> 00:12:26.480 go ahead and do in gigabit estimate 00:12:26.480 --> 00:12:27.519 one 00:12:27.519 --> 00:12:29.440 ip access group 00:12:29.440 --> 00:12:32.240 outside outbound and 00:12:32.240 --> 00:12:35.680 outbound packets so we want to do out 00:12:35.680 --> 00:12:36.639 and 00:12:36.639 --> 00:12:39.360 now now you see there is a match 00:12:39.360 --> 00:12:41.360 on ipm en 00:12:41.360 --> 00:12:43.600 probably some kind of you know uh 00:12:43.600 --> 00:12:44.880 different traffic coming from the 00:12:44.880 --> 00:12:46.399 computer checking the updates or 00:12:46.399 --> 00:12:47.920 something like that but our traffic 00:12:47.920 --> 00:12:49.760 doesn't have the match let's generate 00:12:49.760 --> 00:12:52.639 the traffic on the computer 00:12:52.639 --> 00:12:54.639 this is our traffic 00:12:54.639 --> 00:12:56.959 one 00:12:57.120 --> 00:12:59.440 two 00:13:00.880 --> 00:13:01.920 okay 00:13:01.920 --> 00:13:04.240 and now let's check if we have the match 00:13:04.240 --> 00:13:07.680 on the access list 00:13:07.680 --> 00:13:10.320 we don't 00:13:10.800 --> 00:13:12.560 but that's weird 00:13:12.560 --> 00:13:15.519 isn't our ap address 00:13:15.519 --> 00:13:19.279 oh oh i'm sorry guys 00:13:19.279 --> 00:13:22.399 this ridiculous remember we translated 00:13:22.399 --> 00:13:25.200 traffic into public ip so there's no way 00:13:25.200 --> 00:13:28.480 to match the 192.168.1.10 00:13:28.480 --> 00:13:30.480 on the aggress interface so if we want 00:13:30.480 --> 00:13:32.639 to do something else 00:13:32.639 --> 00:13:37.440 let's go ahead and you know fix that 00:13:38.880 --> 00:13:40.399 we want to remove 00:13:40.399 --> 00:13:44.639 line 10 and add the new new line ip 00:13:44.639 --> 00:13:46.240 icmp 00:13:46.240 --> 00:13:47.279 host 00:13:47.279 --> 00:13:49.360 what's the our public ip address of the 00:13:49.360 --> 00:13:53.040 router it is 100 00:13:53.040 --> 00:13:55.519 that 100 i believe this is the ip 00:13:55.519 --> 00:13:56.800 address 00:13:56.800 --> 00:14:01.720 and then we are going to ping google dns 00:14:02.000 --> 00:14:05.760 here's the axle list now 00:14:06.800 --> 00:14:10.000 now we need to 00:14:10.480 --> 00:14:13.440 renumber this because it's incorrectly 00:14:13.440 --> 00:14:15.600 we want to have permit any at the end so 00:14:15.600 --> 00:14:20.399 remove 20 permit any any 00:14:20.959 --> 00:14:23.839 and now it's correct okay now let's ping 00:14:23.839 --> 00:14:25.199 and let's see 00:14:25.199 --> 00:14:27.040 if packet leaves the 00:14:27.040 --> 00:14:30.040 router 00:14:36.560 --> 00:14:39.839 we still don't have the match 00:14:39.839 --> 00:14:42.399 on the interface okay here's the match i 00:14:42.399 --> 00:14:44.720 was like what's going on 00:14:44.720 --> 00:14:46.560 so we have match 00:14:46.560 --> 00:14:49.199 and that confirms two things 00:14:49.199 --> 00:14:51.279 not two actually several 00:14:51.279 --> 00:14:53.199 we have the working gateway for the 00:14:53.199 --> 00:14:55.680 cisco router so traffic can leave the 00:14:55.680 --> 00:14:56.800 interface 00:14:56.800 --> 00:14:59.279 now because the match is for the public 00:14:59.279 --> 00:15:01.600 ip address we also know that the traffic 00:15:01.600 --> 00:15:03.600 is being translated so even if you 00:15:03.600 --> 00:15:05.600 didn't check the iphone translation this 00:15:05.600 --> 00:15:07.600 confirms that there was a translation 00:15:07.600 --> 00:15:09.760 and the private ipad is translated into 00:15:09.760 --> 00:15:13.199 public ipads and the third 00:15:13.199 --> 00:15:15.120 packet leaves the router 00:15:15.120 --> 00:15:16.079 okay 00:15:16.079 --> 00:15:16.880 now 00:15:16.880 --> 00:15:19.199 that's good it leaves the router is it 00:15:19.199 --> 00:15:20.639 coming back 00:15:20.639 --> 00:15:21.680 no 00:15:21.680 --> 00:15:24.880 it might be coming back or it it's my 00:15:24.880 --> 00:15:27.680 not coming back depends on the problems 00:15:27.680 --> 00:15:29.040 on the internet 00:15:29.040 --> 00:15:30.720 so since this video about the 00:15:30.720 --> 00:15:32.399 troubleshooting let's make sure the 00:15:32.399 --> 00:15:34.399 traffic is coming back 00:15:34.399 --> 00:15:36.880 and for that we again can capture the 00:15:36.880 --> 00:15:38.959 traffic or we can assign the similar 00:15:38.959 --> 00:15:43.120 access list on the inbound traffic 00:15:44.959 --> 00:15:48.480 extend it and that would be outside 00:15:48.480 --> 00:15:50.240 inbound 00:15:50.240 --> 00:15:53.120 and now what do we want to match here 00:15:53.120 --> 00:15:55.600 we won't match google dns as a source 00:15:55.600 --> 00:15:57.199 because remember 00:15:57.199 --> 00:15:59.680 answer is coming from google now 00:15:59.680 --> 00:16:01.920 and we want to do 00:16:01.920 --> 00:16:04.639 destination is going to be our ip 00:16:04.639 --> 00:16:07.120 address on the public interface on the 00:16:07.120 --> 00:16:08.959 outside interface 00:16:08.959 --> 00:16:10.880 and the protocol is icmp 00:16:10.880 --> 00:16:12.320 also you can use 00:16:12.320 --> 00:16:14.800 echo reply if you want 00:16:14.800 --> 00:16:17.120 not necessary for this purpose but you 00:16:17.120 --> 00:16:19.279 can because 00:16:19.279 --> 00:16:22.399 like if you are troubleshooting with 00:16:22.399 --> 00:16:24.800 someone else on the other side and they 00:16:24.800 --> 00:16:26.959 are pinging your ip address as well you 00:16:26.959 --> 00:16:28.880 might want to add echo reply to make 00:16:28.880 --> 00:16:31.360 sure this is your reply not their ping 00:16:31.360 --> 00:16:33.759 but google is not going to ping us so 00:16:33.759 --> 00:16:35.519 it's okay to not 00:16:35.519 --> 00:16:38.720 put the echo reply any any icmp we match 00:16:38.720 --> 00:16:40.959 here we know it's our reply from google 00:16:40.959 --> 00:16:42.160 dns 00:16:42.160 --> 00:16:44.639 and now let's permit any any because we 00:16:44.639 --> 00:16:46.560 don't want to block any other traffic on 00:16:46.560 --> 00:16:48.560 the interface because right now there is 00:16:48.560 --> 00:16:50.480 no access to the game there is no access 00:16:50.480 --> 00:16:52.720 list and if we assign the axle list 00:16:52.720 --> 00:16:55.040 we'll block everything that is not 00:16:55.040 --> 00:16:57.279 permitted on the access list 00:16:57.279 --> 00:16:59.920 so let's go ahead and configure the 00:16:59.920 --> 00:17:02.240 internet gigabyte 00:17:02.240 --> 00:17:04.480 gigabit ethernet one 00:17:04.480 --> 00:17:08.799 ip access list not access access group 00:17:08.799 --> 00:17:09.919 and 00:17:09.919 --> 00:17:12.000 here we use inbound 00:17:12.000 --> 00:17:13.600 okay in 00:17:13.600 --> 00:17:15.360 now 00:17:15.360 --> 00:17:18.000 let's check what match do we have on the 00:17:18.000 --> 00:17:21.600 interface for inbound traffic 00:17:21.600 --> 00:17:25.520 is there any reply from google 00:17:30.720 --> 00:17:32.960 and there is reply 00:17:32.960 --> 00:17:35.600 so we know now that the traffic not only 00:17:35.600 --> 00:17:37.760 leaves the router but it's also coming 00:17:37.760 --> 00:17:40.160 back from google so internet in between 00:17:40.160 --> 00:17:43.440 google dns and our isp is okay we 00:17:43.440 --> 00:17:45.440 receive the traffic but 00:17:45.440 --> 00:17:47.760 computers still cannot ping that 00:17:47.760 --> 00:17:49.200 how come 00:17:49.200 --> 00:17:51.919 we need the ping on the computer 00:17:51.919 --> 00:17:54.160 so what else are left 00:17:54.160 --> 00:17:56.720 when traffic comes back 00:17:56.720 --> 00:17:58.000 to the router 00:17:58.000 --> 00:18:01.840 let me try to draw it here 00:18:07.679 --> 00:18:09.039 where traffic 00:18:09.039 --> 00:18:11.919 lives okay we we have this traffic it 00:18:11.919 --> 00:18:14.480 left the router 00:18:14.480 --> 00:18:17.840 went to dsp not sp google dns 00:18:17.840 --> 00:18:20.000 and coming back and it comes here we 00:18:20.000 --> 00:18:23.360 have this match on this interface now 00:18:23.360 --> 00:18:25.679 what's supposed to happen well nat will 00:18:25.679 --> 00:18:28.080 catch the traffic will check the port 00:18:28.080 --> 00:18:30.160 translations and we'll figure out okay 00:18:30.160 --> 00:18:32.320 that's the returning traffic for this 00:18:32.320 --> 00:18:33.760 ping this guy is pinging from the 00:18:33.760 --> 00:18:37.120 windows 7 machine and now this packet 00:18:37.120 --> 00:18:38.400 sorry 00:18:38.400 --> 00:18:40.320 now this package supposed to leave this 00:18:40.320 --> 00:18:42.400 interface 00:18:42.400 --> 00:18:44.000 okay to 00:18:44.000 --> 00:18:45.760 to be delivered to the 00:18:45.760 --> 00:18:48.080 computer and let's make sure that is 00:18:48.080 --> 00:18:49.679 happening 00:18:49.679 --> 00:18:51.200 for that 00:18:51.200 --> 00:18:54.320 what we are going to do is 00:18:54.320 --> 00:18:57.559 we are 00:18:58.559 --> 00:19:00.400 for that we are going to check if the 00:19:00.400 --> 00:19:03.200 traffic leaves the cisco router 00:19:03.200 --> 00:19:05.600 again this is the same as we did on the 00:19:05.600 --> 00:19:07.200 outside interface you can capture 00:19:07.200 --> 00:19:08.880 traffic if you know how to capture if 00:19:08.880 --> 00:19:11.360 not you can assign the interface on the 00:19:11.360 --> 00:19:13.440 address let's first make sure there is 00:19:13.440 --> 00:19:17.200 no access list on the router 00:19:19.039 --> 00:19:22.400 and let's do out 00:19:22.400 --> 00:19:25.360 there is an access list okay 00:19:25.360 --> 00:19:27.520 now let's check what this access list 00:19:27.520 --> 00:19:30.080 has in it 00:19:30.799 --> 00:19:33.520 does it have any match 00:19:33.520 --> 00:19:36.799 and it doesn't but look at this 00:19:36.799 --> 00:19:39.280 this subnet is not what we are expecting 00:19:39.280 --> 00:19:43.280 to have because remember our subnet is 00:19:43.280 --> 00:19:44.520 192 00:19:44.520 --> 00:19:46.080 161.10 00:19:46.080 --> 00:19:49.200 and here we see two so again the subnet 00:19:49.200 --> 00:19:51.120 on the axle is wrong 00:19:51.120 --> 00:19:55.160 let's try and fix that 00:20:06.559 --> 00:20:08.640 now it's correct 00:20:08.640 --> 00:20:09.520 so 00:20:09.520 --> 00:20:12.080 remember the traffic leaves the router 00:20:12.080 --> 00:20:15.520 so the source here is going to be any in 00:20:15.520 --> 00:20:17.600 our case it's google dns and destination 00:20:17.600 --> 00:20:20.400 is our computer so the access list order 00:20:20.400 --> 00:20:23.360 like from any tool subnet is correct 00:20:23.360 --> 00:20:28.080 and let's see if we can finally ping it 00:20:29.200 --> 00:20:31.280 we still cannot bring it 00:20:31.280 --> 00:20:32.320 wow 00:20:32.320 --> 00:20:34.400 let's see what's going on 00:20:34.400 --> 00:20:37.679 is it leaving the interface 00:20:41.440 --> 00:20:42.960 it is actually 00:20:42.960 --> 00:20:44.159 it's my bad 00:20:44.159 --> 00:20:45.200 i did 00:20:45.200 --> 00:20:46.799 two again 00:20:46.799 --> 00:20:49.919 okay this is wrong 00:20:49.919 --> 00:20:52.159 ah 00:20:52.799 --> 00:20:56.320 this is what happened when you rush 00:20:57.360 --> 00:20:59.520 and 00:20:59.520 --> 00:21:02.000 actually turn 00:21:02.000 --> 00:21:03.760 and 00:21:03.760 --> 00:21:05.760 then we need to do 00:21:05.760 --> 00:21:06.799 one 00:21:06.799 --> 00:21:09.520 yeah once you remove the all lines from 00:21:09.520 --> 00:21:11.120 the axles that actually doesn't work 00:21:11.120 --> 00:21:13.200 anymore so there's no denying any at the 00:21:13.200 --> 00:21:16.080 end if there's no any line in the axis 00:21:16.080 --> 00:21:16.960 so 00:21:16.960 --> 00:21:19.360 as soon as we removed 10 we start 00:21:19.360 --> 00:21:21.679 pinging it and now and then we added 00:21:21.679 --> 00:21:23.760 correct line here 00:21:23.760 --> 00:21:26.960 and we can still ping it 00:21:26.960 --> 00:21:29.120 and we have hit counts 00:21:29.120 --> 00:21:32.080 so this is how you troubleshoot simple 00:21:32.080 --> 00:21:33.840 basic cisco network 00:21:33.840 --> 00:21:35.679 not only cisco network pretty much any 00:21:35.679 --> 00:21:38.000 network you need to know what your 00:21:38.000 --> 00:21:39.520 troubleshooting you need to know how 00:21:39.520 --> 00:21:41.039 traffic goes 00:21:41.039 --> 00:21:42.559 what gateway are you supposed to have on 00:21:42.559 --> 00:21:44.400 the computer you need to know all the 00:21:44.400 --> 00:21:46.559 things to troubleshoot and 00:21:46.559 --> 00:21:49.039 after some several months or years you 00:21:49.039 --> 00:21:50.880 have the enough experience to skip some 00:21:50.880 --> 00:21:52.559 of the steps for example you might know 00:21:52.559 --> 00:21:54.400 the gateway 00:21:54.400 --> 00:21:56.880 on the router is correct because you 00:21:56.880 --> 00:21:58.880 connected to the router remotely and 00:21:58.880 --> 00:22:01.039 from the internet so the router most 00:22:01.039 --> 00:22:03.520 likely has the default gateway or you 00:22:03.520 --> 00:22:05.039 might know that the 00:22:05.039 --> 00:22:07.520 the access is not supposed to be checked 00:22:07.520 --> 00:22:09.280 on the inside device because user told 00:22:09.280 --> 00:22:11.760 you that they can ping the ip address of 00:22:11.760 --> 00:22:14.400 the gateway 00:22:14.400 --> 00:22:17.120 so many many things can be skipped based 00:22:17.120 --> 00:22:19.360 on your experience but this is from 00:22:19.360 --> 00:22:21.760 starting to the end you check from the 00:22:21.760 --> 00:22:24.159 beginning where you have the problem you 00:22:24.159 --> 00:22:26.559 don't check at the end if the cisco has 00:22:26.559 --> 00:22:28.400 the internet first you make sure you 00:22:28.400 --> 00:22:31.840 have everything you need to leave the uh 00:22:31.840 --> 00:22:34.640 area to leave the subnet now let's see 00:22:34.640 --> 00:22:37.600 if you can paint google the google 00:22:37.600 --> 00:22:38.880 website 00:22:38.880 --> 00:22:40.960 directly using dns 00:22:40.960 --> 00:22:43.360 and we can ping so if i go 00:22:43.360 --> 00:22:45.919 on the browser here i'll try to open the 00:22:45.919 --> 00:22:47.760 google website 00:22:47.760 --> 00:22:51.200 i should be able to open it 00:22:52.000 --> 00:22:53.440 and sure enough 00:22:53.440 --> 00:22:56.080 i can open it and it works 00:22:56.080 --> 00:22:57.840 perfect 00:22:57.840 --> 00:23:00.480 i hope this was useful for you guys and 00:23:00.480 --> 00:23:02.400 at some point you'll use it 00:23:02.400 --> 00:23:03.520 that's it 00:23:03.520 --> 00:23:05.600 so guys if you like this videos please 00:23:05.600 --> 00:23:07.760 like the video and hit the subscribe 00:23:07.760 --> 00:23:09.840 button if you want to see more videos 00:23:09.840 --> 00:23:12.320 like this also i'm looking for an ideas 00:23:12.320 --> 00:23:14.080 what kind of videos to create so if you 00:23:14.080 --> 00:23:16.000 have any idea and you're looking for 00:23:16.000 --> 00:23:18.559 some kind of configuration on the cisco 00:23:18.559 --> 00:23:19.520 or 00:23:19.520 --> 00:23:21.360 similar network you can put in the 00:23:21.360 --> 00:23:23.120 comments what do you want to see in the 00:23:23.120 --> 00:23:25.280 next video thanks for watching and have 00:23:25.280 --> 00:23:28.520 a good one 00:23:36.240 --> 00:23:38.320 you