0:00:01.040,0:00:03.199 Hello, guys. Welcome back. My name is David, 0:00:03.199,0:00:04.799 and today we are going to troubleshoot the 0:00:04.799,0:00:07.839 Symposium Cisco network. So what I mean is I 0:00:07.839,0:00:10.480 have one computer and one router. 0:00:10.480,0:00:12.559 This router was configured to pass the 0:00:12.559,0:00:14.880 traffic to translate this traffic into a 0:00:14.880,0:00:17.760 public IP so the computer can serve the 0:00:17.760,0:00:19.760 Internet. Now, what I did, I broke the 0:00:19.760,0:00:21.840 configuration in several places, and we 0:00:21.840,0:00:24.480 are going to start from the beginning to the 0:00:24.480,0:00:26.800 end. We'll find all the problems and try 0:00:26.800,0:00:28.911 to fix them. Stay with me. 0:00:28.911,0:00:32.399 [Music]. 0:00:32.399,0:00:35.520 Okay. Let's start. This is my computer. 0:00:35.520,0:00:37.120 This computer is supposed to have the IP 0:00:37.120,0:00:39.840 address and DNS IP address, right? And the 0:00:39.840,0:00:41.760 gateway, of course. Then traffic comes 0:00:41.760,0:00:44.079 here on the Cisco router, and then from 0:00:44.079,0:00:46.079 the router, it goes to the Internet. 0:00:46.079,0:00:49.600 But here, we need to do NAT, right? Network Address 0:00:49.600,0:00:52.960 Translation. So let's start and find all 0:00:52.960,0:00:56.160 the problems I caused in the configuration. 0:00:56.160,0:00:58.719 So, in order for the traffic to leave the 0:00:58.719,0:01:00.719 computer, the computer is supposed to have 0:01:00.719,0:01:02.640 the IP address. Let's make sure the computer 0:01:02.640,0:01:04.240 has the IP address. 0:01:06.400,0:01:08.960 And when we say, “Let’s make sure the computer 0:01:08.960,0:01:11.520 has the IP address,” 0:01:11.520,0:01:14.799 let's test the actual status of the IP 0:01:14.799,0:01:16.799 address, not the configuration. And what I 0:01:16.799,0:01:18.560 mean by that is 0:01:18.560,0:01:20.960 you can go into a configuration and make 0:01:20.960,0:01:22.799 sure the configuration is there by 0:01:22.799,0:01:24.400 clicking this button, 0:01:24.400,0:01:27.290 but that's not the way I want you to test it. 0:01:27.290,0:01:28.560 I want to test 0:01:28.560,0:01:30.640 the actual status of the configuration. 0:01:30.640,0:01:32.799 That means you can either click here, 0:01:32.799,0:01:36.079 “Details,” or in the CLI. 0:01:36.079,0:01:37.759 Now, what's the difference, you might say? 0:01:37.759,0:01:39.759 The difference is that sometimes, when 0:01:39.759,0:01:41.680 you configure the IP address, Windows is 0:01:41.680,0:01:44.799 not taking this IP address for some reason. 0:01:44.799,0:01:47.040 There can be many, many reasons, but the 0:01:47.040,0:01:49.600 configuration doesn't always work. So 0:01:49.600,0:01:51.119 when you check the configuration on the 0:01:51.119,0:01:53.119 IP address, it's not necessarily the case that the 0:01:53.119,0:01:55.119 computer is using that IP address. So what we're 0:01:55.119,0:01:56.960 going to do, we want to check the actual 0:01:56.960,0:01:59.920 status of this configuration. Okay. So 0:01:59.920,0:02:02.079 let's see what we have. We have the IP 0:02:02.079,0:02:04.159 address here, as you can see, 0:02:04.159,0:02:06.159 and we have the gateway. So we know the 0:02:06.159,0:02:08.399 IP address is there, and probably the 0:02:08.399,0:02:12.200 IP address works. We can ping the IP address itself, 0:02:12.200,0:02:18.010 and yes, well, the IP stack, the TCP/IP stack, works on the computer. 0:02:18.010,0:02:19.280 That's good. So now let's test 0:02:19.280,0:02:21.280 the gateway and make sure the gateway works. 0:02:21.280,0:02:22.879 Here's the gateway, 0:02:22.879,0:02:25.200 and we want to ping that gateway to make 0:02:25.200,0:02:28.400 sure the gateway is on the network. 0:02:28.400,0:02:30.480 Now, you might already see that the gateway 0:02:30.480,0:02:32.720 is .1 on the topology, so the 0:02:32.720,0:02:35.440 gateway is wrong, but let's try and ping it. 0:02:35.440,0:02:39.519 Ping 192.168.1.254, 0:02:39.519,0:02:42.000 and the gateway is not pingable. And how 0:02:42.000,0:02:43.840 do--let's say we don't know if the 0:02:43.840,0:02:45.680 gateway is correct or not, 0:02:45.680,0:02:47.840 or we know the gateway is correct, but we 0:02:47.840,0:02:50.560 are not sure why we can't ping it. Ping 0:02:50.560,0:02:53.200 could be closed. Nobody closed ICMP 0:02:53.200,0:02:55.280 on the gateway, but let's say it's closed. 0:02:55.280,0:02:57.519 You want to make sure the gateway is on 0:02:57.519,0:03:00.190 the network, and for that, we can check the ARP. 0:03:00.190,0:03:01.680 Let's go ahead on the Windows 0:03:01.680,0:03:05.040 machine and type arp -a, 0:03:05.040,0:03:06.800 and this will show you the ARP cache and, you 0:03:06.800,0:03:08.640 know, the IP address mapped to the MAC address. 0:03:08.640,0:03:11.599 So let's see if we have 254 here in the 0:03:11.599,0:03:14.080 ARP cache--and we don't have it. 0:03:14.080,0:03:16.640 But we have .1, 0:03:16.640,0:03:19.246 and let's try and ping it--.1. 0:03:21.680,0:03:24.959 It's not pingable. That's weird. But, well, 0:03:24.959,0:03:26.799 at least we know it's .1, but let's 0:03:26.799,0:03:29.599 go ahead and change that one. 0:03:29.599,0:03:31.680 You know what? We have the Cisco router, 0:03:31.680,0:03:34.560 and we have the interface G3--Gigabit Ethernet 3--and 0:03:34.560,0:03:37.200 let's see what's the IP address on the interface. 0:03:37.200,0:03:38.319 Show 0:03:38.319,0:03:42.239 run--not sure--show interface G3-- 0:03:42.799,0:03:43.698 address. 0:03:45.120,0:03:47.840 And as you can see, this is the IP 0:03:47.840,0:03:49.040 address 0:03:49.040,0:03:52.239 of the Cisco router. So yes, the computer 0:03:52.239,0:03:56.320 is supposed to have .1 as a gateway, not 254. 0:03:56.640,0:03:59.800 So let's go ahead and fix that on the computer. 0:03:59.800,0:04:05.670 We are one step closer to fixing the problem. 0:04:06.239,0:04:08.480 And let's do .1. 0:04:08.480,0:04:10.319 Now 0:04:10.319,0:04:13.439 remember, .1 wasn't pingable from 0:04:13.439,0:04:15.040 the computer, 0:04:15.040,0:04:17.040 and we want to find out why we cannot 0:04:17.040,0:04:19.600 ping it. Should it be pingable? Should it not? 0:04:19.600,0:04:22.000 Let's go ahead and check if there's 0:04:22.000,0:04:25.280 any access list on the Cisco router 0:04:25.280,0:04:28.650 on the inside interface. Show run 0:04:30.479,0:04:34.960 inside interface Gigabit 3/3, and | include for 0:04:34.960,0:04:38.360 the inbound. And sure, there is an access list. 0:04:38.360,0:04:40.619 Let's check what's inside. 0:04:42.080,0:04:47.040 Okay, we have permit ip 192.168.3. 0:04:47.040,0:04:48.000 Okay. 0:04:48.000,0:04:50.080 And /24. 0:04:50.080,0:04:53.520 So the access list is not permitting our 0:04:53.520,0:04:55.440 traffic coming from the computer because, 0:04:55.440,0:04:58.160 remember, our IP address or subnet on 0:04:58.160,0:05:02.639 the computer is 192.168.1.-- 0:05:02.639,0:05:05.759 not 3, but 1--on the third octet. And the 0:05:05.759,0:05:10.130 access list on the Cisco router is not having this .1. 0:05:10.130,0:05:12.494 So let's go ahead and fix that. 0:05:14.160,0:05:16.639 We need to go into the access list-- 0:05:16.639,0:05:18.000 extended-- 0:05:18.000,0:05:21.120 inside inbound. And, you know, we know 0:05:21.120,0:05:23.199 for sure that there is not 0:05:23.199,0:05:25.199 supposed to be the 3 0:05:25.199,0:05:27.680 network on this LAN, right? So it's okay 0:05:27.680,0:05:30.685 to remove this IP address and fix that. 0:05:31.840,0:05:42.360 Node 20, and then permit ip 192.168.1.0 0.0.0.255 any. 0:05:42.360,0:05:43.680 Okay. 0:05:43.680,0:05:45.600 Now it looks great. 0:05:45.600,0:05:47.999 Let's see if we can ping the router. 0:05:55.600,0:05:57.759 Okay. We can ping the router. 0:05:57.759,0:06:01.738 Great. Now let's check--do we have the Internet? 0:06:03.360,0:06:07.039 And no, we don't. Okay. 0:06:07.039,0:06:08.319 Let's see 0:06:08.319,0:06:10.800 what else we are missing here. Do we have 0:06:10.800,0:06:12.294 the route? 0:06:13.360,0:06:16.240 No. Actually, let's make sure the Cisco 0:06:16.240,0:06:20.049 router has the Internet. Ping 8.8.8.8. 0:06:20.049,0:06:21.120 Cisco router 0:06:21.120,0:06:23.840 doesn't have the Internet. Let's fix that. 0:06:23.840,0:06:25.919 So what do you need on the router to 0:06:25.919,0:06:27.680 have the Internet? You need the IP 0:06:27.680,0:06:29.440 address, you need the next hop, which is 0:06:29.440,0:06:31.600 that .1, and you need a connection between 0:06:31.600,0:06:33.520 ISP and the router. 0:06:33.520,0:06:35.759 Let's check what is the interface on the 0:06:35.759,0:06:37.600 Gigabit1, 0:06:37.600,0:06:40.599 and what is the IP address here? 0:06:46.080,0:06:47.039 Okay, 0:06:47.039,0:06:49.120 that's great. Now, what's the gateway? Show 0:06:49.120,0:06:51.199 ip route. 0:06:51.199,0:06:53.840 And our gateway is .3. 0:06:53.840,0:06:54.960 But remember, 0:06:54.960,0:06:57.360 our ISP has .1, not .3. So 0:06:57.360,0:06:59.840 let's go ahead and fix that too. 0:06:59.840,0:07:02.479 Here's my route, which I need to remove 0:07:02.479,0:07:04.553 and add the new one. 0:07:05.440,0:07:07.680 Now remember, if you just add the route, 0:07:07.680,0:07:09.599 you'll have two routes. It's not going to 0:07:09.599,0:07:12.169 replace--even though it has the same destination. 0:07:12.169,0:07:13.599 It's not going to replace. So 0:07:13.599,0:07:17.650 you want to remove the old route and add the new one. 0:07:20.319,0:07:23.199 Okay. Now we have the route in the 0:07:23.199,0:07:25.280 routing table--proper route. Now let's see if we 0:07:25.280,0:07:28.319 can ping Google. Ping Google 0:07:28.319,0:07:30.000 from the Cisco router. 0:07:30.000,0:07:31.039 Okay. 0:07:31.039,0:07:33.039 Cisco router has the Internet. Now let's 0:07:33.039,0:07:35.039 come back to the computer and see 0:07:35.039,0:07:38.479 if the computer also has the Internet. 0:07:38.479,0:07:42.319 Well, no. Computer doesn't have the Internet. Okay. 0:07:42.319,0:07:45.280 Let's think. What do we need to do? 0:07:45.280,0:07:47.680 What do we need to have on the Cisco router 0:07:47.680,0:07:50.240 to allow Internet access from 0:07:50.240,0:07:52.160 the computer 0:07:52.160,0:07:53.840 so the computer can serve Internet 0:07:53.840,0:07:56.720 sites--websites? Okay? So first, 0:07:56.720,0:07:58.960 the computer has the private IP address. You 0:07:58.960,0:08:01.759 see? And the Cisco router external 0:08:01.759,0:08:04.560 interface is the public IP address. So we 0:08:04.560,0:08:07.360 want to translate our private IP subnet 0:08:07.360,0:08:10.400 into a public IP address of the router. And for 0:08:10.400,0:08:12.720 that, we need to do the NAT. 0:08:12.720,0:08:14.879 And let's make sure we have the NAT 0:08:14.879,0:08:17.599 translations on the Cisco router. So 0:08:17.599,0:08:20.000 let's go ahead and try to ping-- 0:08:20.000,0:08:22.800 actually, it does not-- 0:08:22.800,0:08:26.160 let's ping and come back here and see 0:08:26.160,0:08:28.702 if we have NAT translations. 0:08:32.719,0:08:35.823 And we have some NAT translations, 0:08:38.959,0:08:41.839 which are not our Google IP addresses. 0:08:41.839,0:08:43.200 So let's clear up: 0:08:43.200,0:08:45.839 clear ip nat translation * 0:08:45.839,0:08:47.839 dynamic I believe here. 0:08:47.839,0:08:50.020 No. Just everything. 0:08:50.660,0:08:53.600 Okay. Show ip nat translations. 0:08:53.600,0:08:55.600 We don't have new translations. That 0:08:55.600,0:08:58.080 means the Cisco router is not translating 0:08:58.080,0:09:02.160 our traffic from the private subnet into the public IP. 0:09:02.160,0:09:04.320 And let's troubleshoot that. We need to 0:09:04.320,0:09:06.480 have the configuration for that, right? So 0:09:06.480,0:09:08.240 let's go ahead and do this: show 0:09:08.240,0:09:10.959 run interface Gigabit3. And does it 0:09:10.959,0:09:14.080 have the NAT configuration on the Gigabit3? 0:09:14.080,0:09:17.200 It does. And it has no IP NAT inside. 0:09:17.200,0:09:18.720 That's great. Now, the 0:09:18.720,0:09:20.720 inside interface is supposed to have IP 0:09:20.720,0:09:23.519 NAT inside. The outside interface, though, is 0:09:23.519,0:09:26.000 supposed to have IP NAT outside. 0:09:26.000,0:09:27.370 Let's check that. 0:09:31.279,0:09:33.360 Oh, the outside interface doesn't have IP NAT 0:09:33.360,0:09:35.839 outside at all. So let's go ahead and 0:09:35.839,0:09:37.279 configure that-- 0:09:37.279,0:09:39.360 IP NAT outside. 0:09:39.360,0:09:40.959 And now 0:09:40.959,0:09:44.560 we've fixed NAT, well, at least partially, on 0:09:44.560,0:09:46.880 the Cisco router. Now we know that the 0:09:46.880,0:09:48.640 inside interface and outside interface-- 0:09:48.640,0:09:51.440 they both have NAT configuration on them. 0:09:51.440,0:09:54.960 Let's go ahead and check IP NAT translation again. 0:09:56.560,0:09:59.519 Alright. We have some traffic here. 0:09:59.519,0:10:02.880 This is our IP address, 0:10:02.880,0:10:04.560 right? Right? 0:10:04.560,0:10:07.680 And this is what we are trying to ping. 0:10:07.680,0:10:09.600 And this is the ICMP protocol, and this 0:10:09.600,0:10:13.040 is the IP address we are translated into. 0:10:13.040,0:10:15.360 So if we check this IP address on the 0:10:15.360,0:10:18.560 interface, that's our IP address. We know 0:10:18.560,0:10:23.440 that the Cisco router translates the packet into a public IP. 0:10:23.440,0:10:25.920 Now what we need to do is--we know 0:10:25.920,0:10:28.079 traffic comes here on the router, it's 0:10:28.079,0:10:30.000 translated, and we need to make sure 0:10:30.000,0:10:32.399 traffic can leave the interface. Now, how 0:10:32.399,0:10:33.760 do we check that? 0:10:33.760,0:10:36.560 Well, usually, if you have the route and there 0:10:36.560,0:10:38.399 is no restriction on the interface, 0:10:38.399,0:10:41.120 traffic leaves the interface. So let's go 0:10:41.120,0:10:45.360 ahead and check that. Do we have any access list? 0:10:45.360,0:10:46.560 We don't. 0:10:46.560,0:10:49.040 But do we want to put the access list to 0:10:49.040,0:10:50.720 make sure traffic leaves the interface? 0:10:50.720,0:10:53.120 You know, you can use, probably, packet 0:10:53.120,0:10:54.959 capture--if you know how to do that. But 0:10:54.959,0:10:57.760 if not, what you can do is do a quick 0:10:57.760,0:10:59.920 configuration--show IP access list 0:10:59.920,0:11:01.600 extended, for example, 0:11:01.600,0:11:04.320 and match our traffic. In our case, 0:11:04.320,0:11:07.839 let's say outside 0:11:07.839,0:11:11.360 ISP is going to be--no--untold. 0:11:11.360,0:11:14.782 Outside outbound-- 0:11:15.120,0:11:17.120 that's the access list name. And permit 0:11:17.120,0:11:19.509 our traffic. What is our traffic? 0:11:19.509,0:11:23.680 IP host 192.168.0.10.1 0:11:23.680,0:11:24.959 into 0:11:24.959,0:11:27.120 Google DNS. 0:11:27.120,0:11:30.560 And we want it to be ICMP--but IP will 0:11:30.560,0:11:34.079 work as well--but let's do ICMP only. 0:11:34.079,0:11:36.160 And now 0:11:36.160,0:11:38.160 we want to assign this access list on 0:11:38.160,0:11:40.880 the public interface. But remember, 0:11:40.880,0:11:42.399 right now the interface doesn't have the 0:11:42.399,0:11:44.160 access, which means once you assign this 0:11:44.160,0:11:46.399 access list, you'll permit only the 0:11:46.399,0:11:48.320 things you have in the access list. And 0:11:48.320,0:11:51.040 in our case, that's only the ICMP packet 0:11:51.040,0:11:52.480 coming from our computer going to 0:11:52.480,0:11:55.120 Google. But for the rest of the users, 0:11:55.120,0:11:57.279 we're going to break the Internet--well, if 0:11:57.279,0:11:59.839 they have it already. So what we want to do 0:11:59.839,0:12:02.480 is add permit any any at the end of 0:12:02.480,0:12:03.964 the access list, 0:12:05.680,0:12:07.839 which means if we assign this access 0:12:07.839,0:12:10.399 list on the outbound interface 0:12:10.399,0:12:12.639 for the outbound traffic, 0:12:12.639,0:12:14.959 we'll get the match here, 0:12:14.959,0:12:17.040 and hit count will increase if the 0:12:17.040,0:12:19.519 packet leaves the router. And for the 0:12:19.519,0:12:21.279 rest of the traffic--to not block them-- 0:12:21.279,0:12:23.440 here's the permit ip any any. So let's 0:12:23.440,0:12:27.519 go ahead and do: interface GigabitEthernet1, 0:12:27.519,0:12:33.280 ip access-group outside-outbound out. 0:12:35.729,0:12:39.360 And now--now you see there's a match 0:12:39.360,0:12:41.360 on IP and ENA-- 0:12:41.360,0:12:43.600 probably some kind of, you know, 0:12:43.600,0:12:44.880 different traffic coming from the 0:12:44.880,0:12:46.399 computer, checking the updates or 0:12:46.399,0:12:47.920 something like that. Our traffic 0:12:47.920,0:12:49.760 doesn't have the match. Let's generate 0:12:49.760,0:12:52.639 the traffic on the computer. 0:12:52.639,0:12:54.639 This is our traffic. 0:12:54.639,0:12:56.142 One, 0:12:57.120,0:12:58.619 two. 0:13:00.880,0:13:01.920 Okay. 0:13:01.920,0:13:04.240 And now let's check if we have the match 0:13:04.240,0:13:06.070 on the access list. 0:13:07.680,0:13:09.095 We don't. 0:13:10.800,0:13:12.560 That's weird. 0:13:12.560,0:13:15.519 Isn't our IP address-- 0:13:15.519,0:13:19.279 oh, oh, I'm sorry. Guys, 0:13:19.279,0:13:22.399 this is ridiculous. Remember, we translated 0:13:22.399,0:13:25.200 traffic into a public IP, so there's no way 0:13:25.200,0:13:28.480 to match the 192.168.1.10 0:13:28.480,0:13:30.480 on the egress interface. So we want 0:13:30.480,0:13:32.639 to do something else. 0:13:32.639,0:13:35.851 Let's go ahead and, you know, fix that. 0:13:38.880,0:13:40.399 We want to remove 0:13:40.399,0:13:43.332 line 10 and add the new--new line: 0:13:44.639,0:13:47.279 ip access-list extended ..., permit icmp host 0:13:47.279,0:13:49.360 [our public IP address] host 8.8.8.8. What’s the public IP address of the 0:13:49.360,0:13:56.800 router? It is 100.100, I believe. This is the IP address. 0:13:56.800,0:14:00.746 And then we are going to ping Google DNS. 0:14:02.000,0:14:04.641 Here's the access list. Now-- 0:14:06.800,0:14:08.890 now we need to 0:14:10.480,0:14:13.440 renumber this because it's incorrect. 0:14:13.440,0:14:15.600 We want to have permit any any at the end. So: 0:14:15.600,0:14:20.079 remove 20, permit ip any any. 0:14:20.959,0:14:23.839 And now it's correct. Okay. Now let's ping and 0:14:23.839,0:14:28.379 see if the packet leaves the router. 0:14:36.560,0:14:39.839 We still don't have the match 0:14:39.839,0:14:42.399 on the interface. Okay. Here's the match. 0:14:42.399,0:14:44.720 I was like, what's going on? 0:14:44.720,0:14:46.560 So we have a match, 0:14:46.560,0:14:49.199 and that confirms two things-- 0:14:49.199,0:14:51.279 not two, actually several: 0:14:51.279,0:14:53.199 We have the working gateway for the 0:14:53.199,0:14:56.800 Cisco router, so traffic can leave the interface. 0:14:56.800,0:14:59.279 Because the match is for the public 0:14:59.279,0:15:01.600 IP address, we also know that the traffic 0:15:01.600,0:15:03.600 is being translated--so even if you 0:15:03.600,0:15:05.600 didn’t check the IP NAT translation, this 0:15:05.600,0:15:07.600 confirms that there was a translation 0:15:07.600,0:15:09.760 and the private IP address is translated into a 0:15:09.760,0:15:13.199 public IP address. And third, the 0:15:13.199,0:15:15.120 packet leaves the router. 0:15:15.120,0:15:16.880 Okay, now 0:15:16.880,0:15:19.199 that's good--it leaves the router. But is it 0:15:19.199,0:15:20.639 coming back? 0:15:20.639,0:15:24.880 No. It might be coming back, or it might 0:15:24.880,0:15:29.040 not be coming back--depends on the problems on the Internet. 0:15:29.040,0:15:30.720 So since this video is about 0:15:30.720,0:15:32.399 troubleshooting, let's make sure the 0:15:32.399,0:15:34.399 traffic is coming back. 0:15:34.399,0:15:36.880 And for that, we again can capture the 0:15:36.880,0:15:38.959 traffic, or we can assign a similar 0:15:38.959,0:15:41.900 access list on the inbound traffic. 0:15:44.959,0:15:49.490 Extended--and that would be outside-inbound. 0:15:50.240,0:15:53.120 And now what do we want to match here? 0:15:53.120,0:15:55.600 We want to match Google DNS as a source 0:15:55.600,0:15:57.199 because, remember, 0:15:57.199,0:15:59.680 the answer is coming from Google now. 0:15:59.680,0:16:01.920 And we want to set the 0:16:01.920,0:16:04.639 destination to be our IP 0:16:04.639,0:16:08.959 address on the public interface--on the outside interface. 0:16:08.959,0:16:10.880 And the protocol is ICMP. 0:16:10.880,0:16:12.320 Also, you can use 0:16:12.320,0:16:14.800 echo-reply if you want-- 0:16:14.800,0:16:18.552 not necessary for this purpose, but you can. 0:16:19.279,0:16:22.399 Like, if you are troubleshooting with 0:16:22.399,0:16:24.800 someone else on the other side and they 0:16:24.800,0:16:26.959 are pinging your IP address as well, you 0:16:26.959,0:16:28.880 might want to add echo-reply to make 0:16:28.880,0:16:31.360 sure this is your reply and not their ping. 0:16:31.360,0:16:33.759 But Google is not going to ping us, so 0:16:33.759,0:16:36.969 it's okay to not put the echo-reply. 0:16:36.969,0:16:42.160 Any ICMP we match here--we know it's our reply from Google DNS. 0:16:42.160,0:16:44.639 And now let's permit ip any any because we 0:16:44.639,0:16:47.580 don't want to block any other traffic on the interface. 0:16:47.580,0:16:48.560 Because right now there's 0:16:48.560,0:16:50.480 no access--again, there's no access 0:16:50.480,0:16:52.720 list--and if we assign the access list, 0:16:52.720,0:16:55.040 we'll block everything that is not 0:16:55.040,0:16:57.279 permitted on the access list. 0:16:57.279,0:16:59.920 So let's go ahead and configure the 0:16:59.920,0:17:04.480 Ethernet--GigabitEthernet1: 0:17:04.480,0:17:08.799 ip access-group [access list name] 0:17:08.799,0:17:09.919 and 0:17:09.919,0:17:12.000 here we use inbound. 0:17:12.000,0:17:13.600 Okay. In. 0:17:13.600,0:17:15.360 Now 0:17:15.360,0:17:18.000 let's check what match we have on the 0:17:18.000,0:17:21.600 interface for inbound traffic. 0:17:21.600,0:17:24.177 Is there any reply from Google? 0:17:30.720,0:17:32.960 And there is a reply. 0:17:32.960,0:17:35.600 So we know now that the traffic not only 0:17:35.600,0:17:37.760 leaves the router, but it's also coming 0:17:37.760,0:17:40.160 back from Google. So the Internet in between-- 0:17:40.160,0:17:43.440 Google DNS and our ISP--is okay. We 0:17:43.440,0:17:45.440 received the traffic, but the 0:17:45.440,0:17:47.760 computer still cannot ping that. 0:17:47.760,0:17:49.200 How come? 0:17:49.200,0:17:51.919 We need the ping on the computer. 0:17:51.919,0:17:54.160 So what else is left? 0:17:54.160,0:17:56.720 When traffic comes back 0:17:56.720,0:17:58.000 to the router-- 0:17:58.000,0:18:00.057 let me try to draw it here. 0:18:07.679,0:18:09.039 When traffic 0:18:09.039,0:18:11.919 leaves, okay, we have this traffic. 0:18:11.919,0:18:14.480 It left the router, 0:18:14.480,0:18:17.840 went to the ISP--not ISP, Google DNS-- 0:18:17.840,0:18:20.000 and came back. And it comes here. We 0:18:20.000,0:18:23.360 have this match on this interface. Now 0:18:23.360,0:18:25.679 what's supposed to happen? Well, NAT will 0:18:25.679,0:18:28.080 catch the traffic, will check the port 0:18:28.080,0:18:30.160 translations, and will figure out--okay, 0:18:30.160,0:18:32.320 that's the returning traffic for this 0:18:32.320,0:18:33.760 ping. The guy's pinging from the 0:18:33.760,0:18:38.400 Windows 7 machine. And now this packet--sorry-- 0:18:38.400,0:18:40.320 now this packet is supposed to leave this 0:18:40.320,0:18:42.400 interface, 0:18:42.400,0:18:46.620 okay, to be delivered to the computer. 0:18:46.620,0:18:49.679 And let's make sure that is happening. 0:18:49.679,0:18:51.200 For that, 0:18:51.200,0:18:53.505 what we are going to do is... 0:18:54.320,0:18:55.766 we are-- 0:18:58.559,0:19:00.400 for that, we are going to check if the 0:19:00.400,0:19:03.200 traffic leaves the Cisco router. 0:19:03.200,0:19:05.600 Again, this is the same as we did on the 0:19:05.600,0:19:07.200 outside interface. You can capture 0:19:07.200,0:19:08.880 traffic if you know how to capture. If 0:19:08.880,0:19:11.360 not, you can assign the interface on the 0:19:11.360,0:19:13.440 address. Let's first make sure there is 0:19:13.440,0:19:15.803 no access list on the router. 0:19:19.039,0:19:21.195 And let's do out. 0:19:22.400,0:19:25.360 There is an access list. Okay. 0:19:25.360,0:19:28.360 Now, let's check what this access list has in it. 0:19:30.799,0:19:33.520 Does it have any match? 0:19:33.520,0:19:36.799 It doesn't. But look at this-- 0:19:36.799,0:19:39.280 this subnet is not what we are expecting 0:19:39.280,0:19:43.280 to have because, remember, our subnet is 0:19:43.280,0:19:46.080 192.168.0.1, 0:19:46.080,0:19:49.200 and here we see 2. So again, the subnet 0:19:49.200,0:19:51.120 on the access list is wrong. 0:19:51.120,0:19:53.084 Let's try and fix that. 0:20:06.559,0:20:08.640 Now it's correct. 0:20:08.640,0:20:12.080 So remember, the traffic leaves the router. 0:20:12.080,0:20:15.520 So the source here is gonna be any--in 0:20:15.520,0:20:17.600 our case, it's Google DNS--and the destination 0:20:17.600,0:20:20.400 is our computer. So the access list order, 0:20:20.400,0:20:23.360 like from any to subnet, is correct. 0:20:23.360,0:20:26.400 And let's see if we can finally ping it. 0:20:29.200,0:20:31.280 We still cannot ping it. 0:20:31.280,0:20:32.320 Wow. 0:20:32.320,0:20:34.400 Let's see what's going on. 0:20:34.400,0:20:36.479 Is it leaving the interface? 0:20:41.440,0:20:44.159 It is--actually, my bad. 0:20:44.159,0:20:46.320 I did 2 again. 0:20:46.799,0:20:49.919 Okay, this is wrong. 0:20:52.799,0:20:55.735 This is what happens when you rush. 0:20:57.360,0:20:59.520 And 0:20:59.520,0:21:02.000 actually--10. 0:21:02.000,0:21:06.799 And then we need to do 1. 0:21:06.799,0:21:09.520 Yeah. Once you remove all lines from 0:21:09.520,0:21:11.120 the access list, that access list doesn't work 0:21:11.120,0:21:13.200 anymore. So there's no deny any any at the 0:21:13.200,0:21:16.080 end if there's no line in the access list. 0:21:16.080,0:21:19.360 So as soon as we removed 10, we started 0:21:19.360,0:21:21.679 pinging. And then we added the 0:21:21.679,0:21:23.760 correct line here, 0:21:23.760,0:21:25.810 and we can still ping it. 0:21:26.960,0:21:29.120 And we have hit counts. 0:21:29.120,0:21:33.840 So this is how you troubleshoot a simple, basic Cisco network. 0:21:33.840,0:21:35.679 Not only Cisco networks--pretty much any 0:21:35.679,0:21:38.000 network. You need to know what you're 0:21:38.000,0:21:41.039 troubleshooting. You need to know how traffic goes, 0:21:41.039,0:21:42.559 what gateway you're supposed to have on 0:21:42.559,0:21:44.400 the computer. You need to know all the 0:21:44.400,0:21:46.559 things to troubleshoot, and 0:21:46.559,0:21:49.039 after several months or years, you'll 0:21:49.039,0:21:50.880 have enough experience to skip some 0:21:50.880,0:21:52.559 of the steps. For example, you might know 0:21:52.559,0:21:54.400 the gateway 0:21:54.400,0:21:56.880 on the router is correct because you 0:21:56.880,0:21:58.880 connected to the router remotely and 0:21:58.880,0:22:01.039 from the Internet, so the router most 0:22:01.039,0:22:03.520 likely has the default gateway. Or you 0:22:03.520,0:22:05.039 might know that 0:22:05.039,0:22:07.520 the access list is not supposed to be checked 0:22:07.520,0:22:09.280 on the inside device because the user told 0:22:09.280,0:22:14.400 you that they can ping the IP address of the gateway. 0:22:14.400,0:22:17.120 So many, many things can be skipped based 0:22:17.120,0:22:19.360 on your experience. But this is from 0:22:19.360,0:22:21.760 starting to the end. You check from the 0:22:21.760,0:22:24.159 beginning where you have the problem. You 0:22:24.159,0:22:26.559 don't check at the end if the Cisco has 0:22:26.559,0:22:28.400 the Internet. First, you make sure you 0:22:28.400,0:22:31.840 have everything you need to leave the 0:22:31.840,0:22:34.640 area--to leave the subnet. Now, let's see 0:22:34.640,0:22:38.880 if we can ping Google--the actual Google website-- 0:22:38.880,0:22:40.960 directly using DNS. 0:22:40.960,0:22:43.360 And we can ping. So if I go 0:22:43.360,0:22:47.760 on a browser here, it'll try to open the Google website. 0:22:47.760,0:22:49.870 I should be able to open it. 0:22:52.000,0:22:53.440 And sure enough, 0:22:53.440,0:22:57.187 I can open it. And it works. Perfect. 0:22:57.840,0:23:00.480 I hope this was useful for you guys, and 0:23:00.480,0:23:02.400 at some point, you'll use it. 0:23:02.400,0:23:03.520 That's it. 0:23:03.520,0:23:05.600 So guys, if you like these videos, please 0:23:05.600,0:23:07.760 like the video and hit the subscribe 0:23:07.760,0:23:09.840 button if you want to see more videos 0:23:09.840,0:23:12.320 like this. Also, I'm looking for ideas on 0:23:12.320,0:23:14.080 what kind of videos to create. So if you 0:23:14.080,0:23:16.000 have any idea and you're looking for 0:23:16.000,0:23:18.559 some kind of configuration on the Cisco 0:23:18.559,0:23:21.360 or similar network, you can put in the 0:23:21.360,0:23:23.120 comments what you want to see in the 0:23:23.120,0:23:26.677 next video. Thanks for watching, and have a good one.