1 00:00:01,040 --> 00:00:03,199 Hello, guys. Welcome back. My name is David, 2 00:00:03,199 --> 00:00:04,799 and today we are going to troubleshoot the 3 00:00:04,799 --> 00:00:07,839 Symposium Cisco network. So what I mean is I 4 00:00:07,839 --> 00:00:10,480 have one computer and one router. 5 00:00:10,480 --> 00:00:12,559 This router was configured to pass the 6 00:00:12,559 --> 00:00:14,880 traffic to translate this traffic into a 7 00:00:14,880 --> 00:00:17,760 public IP so the computer can serve the 8 00:00:17,760 --> 00:00:19,760 Internet. Now, what I did, I broke the 9 00:00:19,760 --> 00:00:21,840 configuration in several places, and we 10 00:00:21,840 --> 00:00:24,480 are going to start from the beginning to the 11 00:00:24,480 --> 00:00:26,800 end. We'll find all the problems and try 12 00:00:26,800 --> 00:00:28,911 to fix them. Stay with me. 13 00:00:28,911 --> 00:00:32,399 [Music]. 14 00:00:32,399 --> 00:00:35,520 Okay. Let's start. This is my computer. 15 00:00:35,520 --> 00:00:37,120 This computer is supposed to have the IP 16 00:00:37,120 --> 00:00:39,840 address and DNS IP address, right? And the 17 00:00:39,840 --> 00:00:41,760 gateway, of course. Then traffic comes 18 00:00:41,760 --> 00:00:44,079 here on the Cisco router, and then from 19 00:00:44,079 --> 00:00:46,079 the router, it goes to the Internet. 20 00:00:46,079 --> 00:00:49,600 But here, we need to do NAT, right? Network Address 21 00:00:49,600 --> 00:00:52,960 Translation. So let's start and find all 22 00:00:52,960 --> 00:00:56,160 the problems I caused in the configuration. 23 00:00:56,160 --> 00:00:58,719 So, in order for the traffic to leave the 24 00:00:58,719 --> 00:01:00,719 computer, the computer is supposed to have 25 00:01:00,719 --> 00:01:02,640 the IP address. Let's make sure the computer 26 00:01:02,640 --> 00:01:04,240 has the IP address. 27 00:01:06,400 --> 00:01:08,960 And when we say, “Let’s make sure the computer 28 00:01:08,960 --> 00:01:11,520 has the IP address,” 29 00:01:11,520 --> 00:01:14,799 let's test the actual status of the IP 30 00:01:14,799 --> 00:01:16,799 address, not the configuration. And what I 31 00:01:16,799 --> 00:01:18,560 mean by that is 32 00:01:18,560 --> 00:01:20,960 you can go into a configuration and make 33 00:01:20,960 --> 00:01:22,799 sure the configuration is there by 34 00:01:22,799 --> 00:01:24,400 clicking this button, 35 00:01:24,400 --> 00:01:27,290 but that's not the way I want you to test it. 36 00:01:27,290 --> 00:01:28,560 I want to test 37 00:01:28,560 --> 00:01:30,640 the actual status of the configuration. 38 00:01:30,640 --> 00:01:32,799 That means you can either click here, 39 00:01:32,799 --> 00:01:36,079 “Details,” or in the CLI. 40 00:01:36,079 --> 00:01:37,759 Now, what's the difference, you might say? 41 00:01:37,759 --> 00:01:39,759 The difference is that sometimes, when 42 00:01:39,759 --> 00:01:41,680 you configure the IP address, Windows is 43 00:01:41,680 --> 00:01:44,799 not taking this IP address for some reason. 44 00:01:44,799 --> 00:01:47,040 There can be many, many reasons, but the 45 00:01:47,040 --> 00:01:49,600 configuration doesn't always work. So 46 00:01:49,600 --> 00:01:51,119 when you check the configuration on the 47 00:01:51,119 --> 00:01:53,119 IP address, it's not necessarily the case that the 48 00:01:53,119 --> 00:01:55,119 computer is using that IP address. So what we're 49 00:01:55,119 --> 00:01:56,960 going to do, we want to check the actual 50 00:01:56,960 --> 00:01:59,920 status of this configuration. Okay. So 51 00:01:59,920 --> 00:02:02,079 let's see what we have. We have the IP 52 00:02:02,079 --> 00:02:04,159 address here, as you can see, 53 00:02:04,159 --> 00:02:06,159 and we have the gateway. So we know the 54 00:02:06,159 --> 00:02:08,399 IP address is there, and probably the 55 00:02:08,399 --> 00:02:12,200 IP address works. We can ping the IP address itself, 56 00:02:12,200 --> 00:02:18,010 and yes, well, the IP stack, the TCP/IP stack, works on the computer. 57 00:02:18,010 --> 00:02:19,280 That's good. So now let's test 58 00:02:19,280 --> 00:02:21,280 the gateway and make sure the gateway works. 59 00:02:21,280 --> 00:02:22,879 Here's the gateway, 60 00:02:22,879 --> 00:02:25,200 and we want to ping that gateway to make 61 00:02:25,200 --> 00:02:28,400 sure the gateway is on the network. 62 00:02:28,400 --> 00:02:30,480 Now, you might already see that the gateway 63 00:02:30,480 --> 00:02:32,720 is .1 on the topology, so the 64 00:02:32,720 --> 00:02:35,440 gateway is wrong, but let's try and ping it. 65 00:02:35,440 --> 00:02:39,519 Ping 192.168.1.254, 66 00:02:39,519 --> 00:02:42,000 and the gateway is not pingable. And how 67 00:02:42,000 --> 00:02:43,840 do--let's say we don't know if the 68 00:02:43,840 --> 00:02:45,680 gateway is correct or not, 69 00:02:45,680 --> 00:02:47,840 or we know the gateway is correct, but we 70 00:02:47,840 --> 00:02:50,560 are not sure why we can't ping it. Ping 71 00:02:50,560 --> 00:02:53,200 could be closed. Nobody closed ICMP 72 00:02:53,200 --> 00:02:55,280 on the gateway, but let's say it's closed. 73 00:02:55,280 --> 00:02:57,519 You want to make sure the gateway is on 74 00:02:57,519 --> 00:03:00,190 the network, and for that, we can check the ARP. 75 00:03:00,190 --> 00:03:01,680 Let's go ahead on the Windows 76 00:03:01,680 --> 00:03:05,040 machine and type arp -a, 77 00:03:05,040 --> 00:03:06,800 and this will show you the ARP cache and, you 78 00:03:06,800 --> 00:03:08,640 know, the IP address mapped to the MAC address. 79 00:03:08,640 --> 00:03:11,599 So let's see if we have 254 here in the 80 00:03:11,599 --> 00:03:14,080 ARP cache--and we don't have it. 81 00:03:14,080 --> 00:03:16,640 But we have .1, 82 00:03:16,640 --> 00:03:19,246 and let's try and ping it--.1. 83 00:03:21,680 --> 00:03:24,959 It's not pingable. That's weird. But, well, 84 00:03:24,959 --> 00:03:26,799 at least we know it's .1, but let's 85 00:03:26,799 --> 00:03:29,599 go ahead and change that one. 86 00:03:29,599 --> 00:03:31,680 You know what? We have the Cisco router, 87 00:03:31,680 --> 00:03:34,560 and we have the interface G3--Gigabit Ethernet 3--and 88 00:03:34,560 --> 00:03:37,200 let's see what's the IP address on the interface. 89 00:03:37,200 --> 00:03:38,319 Show 90 00:03:38,319 --> 00:03:42,239 run--not sure--show interface G3-- 91 00:03:42,799 --> 00:03:43,698 address. 92 00:03:45,120 --> 00:03:47,840 And as you can see, this is the IP 93 00:03:47,840 --> 00:03:49,040 address 94 00:03:49,040 --> 00:03:52,239 of the Cisco router. So yes, the computer 95 00:03:52,239 --> 00:03:56,320 is supposed to have .1 as a gateway, not 254. 96 00:03:56,640 --> 00:03:59,800 So let's go ahead and fix that on the computer. 97 00:03:59,800 --> 00:04:05,670 We are one step closer to fixing the problem. 98 00:04:06,239 --> 00:04:08,480 And let's do .1. 99 00:04:08,480 --> 00:04:10,319 Now 100 00:04:10,319 --> 00:04:13,439 remember, .1 wasn't pingable from 101 00:04:13,439 --> 00:04:15,040 the computer, 102 00:04:15,040 --> 00:04:17,040 and we want to find out why we cannot 103 00:04:17,040 --> 00:04:19,600 ping it. Should it be pingable? Should it not? 104 00:04:19,600 --> 00:04:22,000 Let's go ahead and check if there's 105 00:04:22,000 --> 00:04:25,280 any access list on the Cisco router 106 00:04:25,280 --> 00:04:28,650 on the inside interface. Show run 107 00:04:30,479 --> 00:04:34,960 inside interface Gigabit 3/3, and | include for 108 00:04:34,960 --> 00:04:38,360 the inbound. And sure, there is an access list. 109 00:04:38,360 --> 00:04:40,619 Let's check what's inside. 110 00:04:42,080 --> 00:04:47,040 Okay, we have permit ip 192.168.3. 111 00:04:47,040 --> 00:04:48,000 Okay. 112 00:04:48,000 --> 00:04:50,080 And /24. 113 00:04:50,080 --> 00:04:53,520 So the access list is not permitting our 114 00:04:53,520 --> 00:04:55,440 traffic coming from the computer because, 115 00:04:55,440 --> 00:04:58,160 remember, our IP address or subnet on 116 00:04:58,160 --> 00:05:02,639 the computer is 192.168.1.-- 117 00:05:02,639 --> 00:05:05,759 not 3, but 1--on the third octet. And the 118 00:05:05,759 --> 00:05:10,130 access list on the Cisco router is not having this .1. 119 00:05:10,130 --> 00:05:12,494 So let's go ahead and fix that. 120 00:05:14,160 --> 00:05:16,639 We need to go into the access list-- 121 00:05:16,639 --> 00:05:18,000 extended-- 122 00:05:18,000 --> 00:05:21,120 inside inbound. And, you know, we know 123 00:05:21,120 --> 00:05:23,199 for sure that there is not 124 00:05:23,199 --> 00:05:25,199 supposed to be the 3 125 00:05:25,199 --> 00:05:27,680 network on this LAN, right? So it's okay 126 00:05:27,680 --> 00:05:30,685 to remove this IP address and fix that. 127 00:05:31,840 --> 00:05:42,360 Node 20, and then permit ip 192.168.1.0 0.0.0.255 any. 128 00:05:42,360 --> 00:05:43,680 Okay. 129 00:05:43,680 --> 00:05:45,600 Now it looks great. 130 00:05:45,600 --> 00:05:47,999 Let's see if we can ping the router. 131 00:05:55,600 --> 00:05:57,759 Okay. We can ping the router. 132 00:05:57,759 --> 00:06:01,738 Great. Now let's check--do we have the Internet? 133 00:06:03,360 --> 00:06:07,039 And no, we don't. Okay. 134 00:06:07,039 --> 00:06:08,319 Let's see 135 00:06:08,319 --> 00:06:10,800 what else we are missing here. Do we have 136 00:06:10,800 --> 00:06:12,294 the route? 137 00:06:13,360 --> 00:06:16,240 No. Actually, let's make sure the Cisco 138 00:06:16,240 --> 00:06:20,049 router has the Internet. Ping 8.8.8.8. 139 00:06:20,049 --> 00:06:21,120 Cisco router 140 00:06:21,120 --> 00:06:23,840 doesn't have the Internet. Let's fix that. 141 00:06:23,840 --> 00:06:25,919 So what do you need on the router to 142 00:06:25,919 --> 00:06:27,680 have the Internet? You need the IP 143 00:06:27,680 --> 00:06:29,440 address, you need the next hop, which is 144 00:06:29,440 --> 00:06:31,600 that .1, and you need a connection between 145 00:06:31,600 --> 00:06:33,520 ISP and the router. 146 00:06:33,520 --> 00:06:35,759 Let's check what is the interface on the 147 00:06:35,759 --> 00:06:37,600 Gigabit1, 148 00:06:37,600 --> 00:06:40,599 and what is the IP address here? 149 00:06:46,080 --> 00:06:47,039 Okay, 150 00:06:47,039 --> 00:06:49,120 that's great. Now, what's the gateway? Show 151 00:06:49,120 --> 00:06:51,199 ip route. 152 00:06:51,199 --> 00:06:53,840 And our gateway is .3. 153 00:06:53,840 --> 00:06:54,960 But remember, 154 00:06:54,960 --> 00:06:57,360 our ISP has .1, not .3. So 155 00:06:57,360 --> 00:06:59,840 let's go ahead and fix that too. 156 00:06:59,840 --> 00:07:02,479 Here's my route, which I need to remove 157 00:07:02,479 --> 00:07:04,553 and add the new one. 158 00:07:05,440 --> 00:07:07,680 Now remember, if you just add the route, 159 00:07:07,680 --> 00:07:09,599 you'll have two routes. It's not going to 160 00:07:09,599 --> 00:07:12,169 replace--even though it has the same destination. 161 00:07:12,169 --> 00:07:13,599 It's not going to replace. So 162 00:07:13,599 --> 00:07:17,650 you want to remove the old route and add the new one. 163 00:07:20,319 --> 00:07:23,199 Okay. Now we have the route in the 164 00:07:23,199 --> 00:07:25,280 routing table--proper route. Now let's see if we 165 00:07:25,280 --> 00:07:28,319 can ping Google. Ping Google 166 00:07:28,319 --> 00:07:30,000 from the Cisco router. 167 00:07:30,000 --> 00:07:31,039 Okay. 168 00:07:31,039 --> 00:07:33,039 Cisco router has the Internet. Now let's 169 00:07:33,039 --> 00:07:35,039 come back to the computer and see 170 00:07:35,039 --> 00:07:38,479 if the computer also has the Internet. 171 00:07:38,479 --> 00:07:42,319 Well, no. Computer doesn't have the Internet. Okay. 172 00:07:42,319 --> 00:07:45,280 Let's think. What do we need to do? 173 00:07:45,280 --> 00:07:47,680 What do we need to have on the Cisco router 174 00:07:47,680 --> 00:07:50,240 to allow Internet access from 175 00:07:50,240 --> 00:07:52,160 the computer 176 00:07:52,160 --> 00:07:53,840 so the computer can serve Internet 177 00:07:53,840 --> 00:07:56,720 sites--websites? Okay? So first, 178 00:07:56,720 --> 00:07:58,960 the computer has the private IP address. You 179 00:07:58,960 --> 00:08:01,759 see? And the Cisco router external 180 00:08:01,759 --> 00:08:04,560 interface is the public IP address. So we 181 00:08:04,560 --> 00:08:07,360 want to translate our private IP subnet 182 00:08:07,360 --> 00:08:10,400 into a public IP address of the router. And for 183 00:08:10,400 --> 00:08:12,720 that, we need to do the NAT. 184 00:08:12,720 --> 00:08:14,879 And let's make sure we have the NAT 185 00:08:14,879 --> 00:08:17,599 translations on the Cisco router. So 186 00:08:17,599 --> 00:08:20,000 let's go ahead and try to ping-- 187 00:08:20,000 --> 00:08:22,800 actually, it does not-- 188 00:08:22,800 --> 00:08:26,160 let's ping and come back here and see 189 00:08:26,160 --> 00:08:28,702 if we have NAT translations. 190 00:08:32,719 --> 00:08:35,823 And we have some NAT translations, 191 00:08:38,959 --> 00:08:41,839 which are not our Google IP addresses. 192 00:08:41,839 --> 00:08:43,200 So let's clear up: 193 00:08:43,200 --> 00:08:45,839 clear ip nat translation * 194 00:08:45,839 --> 00:08:47,839 dynamic I believe here. 195 00:08:47,839 --> 00:08:50,020 No. Just everything. 196 00:08:50,660 --> 00:08:53,600 Okay. Show ip nat translations. 197 00:08:53,600 --> 00:08:55,600 We don't have new translations. That 198 00:08:55,600 --> 00:08:58,080 means the Cisco router is not translating 199 00:08:58,080 --> 00:09:02,160 our traffic from the private subnet into the public IP. 200 00:09:02,160 --> 00:09:04,320 And let's troubleshoot that. We need to 201 00:09:04,320 --> 00:09:06,480 have the configuration for that, right? So 202 00:09:06,480 --> 00:09:08,240 let's go ahead and do this: show 203 00:09:08,240 --> 00:09:10,959 run interface Gigabit3. And does it 204 00:09:10,959 --> 00:09:14,080 have the NAT configuration on the Gigabit3? 205 00:09:14,080 --> 00:09:17,200 It does. And it has no IP NAT inside. 206 00:09:17,200 --> 00:09:18,720 That's great. Now, the 207 00:09:18,720 --> 00:09:20,720 inside interface is supposed to have IP 208 00:09:20,720 --> 00:09:23,519 NAT inside. The outside interface, though, is 209 00:09:23,519 --> 00:09:26,000 supposed to have IP NAT outside. 210 00:09:26,000 --> 00:09:27,370 Let's check that. 211 00:09:31,279 --> 00:09:33,360 Oh, the outside interface doesn't have IP NAT 212 00:09:33,360 --> 00:09:35,839 outside at all. So let's go ahead and 213 00:09:35,839 --> 00:09:37,279 configure that-- 214 00:09:37,279 --> 00:09:39,360 IP NAT outside. 215 00:09:39,360 --> 00:09:40,959 And now 216 00:09:40,959 --> 00:09:44,560 we've fixed NAT, well, at least partially, on 217 00:09:44,560 --> 00:09:46,880 the Cisco router. Now we know that the 218 00:09:46,880 --> 00:09:48,640 inside interface and outside interface-- 219 00:09:48,640 --> 00:09:51,440 they both have NAT configuration on them. 220 00:09:51,440 --> 00:09:54,960 Let's go ahead and check IP NAT translation again. 221 00:09:56,560 --> 00:09:59,519 Alright. We have some traffic here. 222 00:09:59,519 --> 00:10:02,880 This is our IP address, 223 00:10:02,880 --> 00:10:04,560 right? Right? 224 00:10:04,560 --> 00:10:07,680 And this is what we are trying to ping. 225 00:10:07,680 --> 00:10:09,600 And this is the ICMP protocol, and this 226 00:10:09,600 --> 00:10:13,040 is the IP address we are translated into. 227 00:10:13,040 --> 00:10:15,360 So if we check this IP address on the 228 00:10:15,360 --> 00:10:18,560 interface, that's our IP address. We know 229 00:10:18,560 --> 00:10:23,440 that the Cisco router translates the packet into a public IP. 230 00:10:23,440 --> 00:10:25,920 Now what we need to do is--we know 231 00:10:25,920 --> 00:10:28,079 traffic comes here on the router, it's 232 00:10:28,079 --> 00:10:30,000 translated, and we need to make sure 233 00:10:30,000 --> 00:10:32,399 traffic can leave the interface. Now, how 234 00:10:32,399 --> 00:10:33,760 do we check that? 235 00:10:33,760 --> 00:10:36,560 Well, usually, if you have the route and there 236 00:10:36,560 --> 00:10:38,399 is no restriction on the interface, 237 00:10:38,399 --> 00:10:41,120 traffic leaves the interface. So let's go 238 00:10:41,120 --> 00:10:45,360 ahead and check that. Do we have any access list? 239 00:10:45,360 --> 00:10:46,560 We don't. 240 00:10:46,560 --> 00:10:49,040 But do we want to put the access list to 241 00:10:49,040 --> 00:10:50,720 make sure traffic leaves the interface? 242 00:10:50,720 --> 00:10:53,120 You know, you can use, probably, packet 243 00:10:53,120 --> 00:10:54,959 capture--if you know how to do that. But 244 00:10:54,959 --> 00:10:57,760 if not, what you can do is do a quick 245 00:10:57,760 --> 00:10:59,920 configuration--show IP access list 246 00:10:59,920 --> 00:11:01,600 extended, for example, 247 00:11:01,600 --> 00:11:04,320 and match our traffic. In our case, 248 00:11:04,320 --> 00:11:07,839 let's say outside 249 00:11:07,839 --> 00:11:11,360 ISP is going to be--no--untold. 250 00:11:11,360 --> 00:11:14,782 Outside outbound-- 251 00:11:15,120 --> 00:11:17,120 that's the access list name. And permit 252 00:11:17,120 --> 00:11:19,509 our traffic. What is our traffic? 253 00:11:19,509 --> 00:11:23,680 IP host 192.168.0.10.1 254 00:11:23,680 --> 00:11:24,959 into 255 00:11:24,959 --> 00:11:27,120 Google DNS. 256 00:11:27,120 --> 00:11:30,560 And we want it to be ICMP--but IP will 257 00:11:30,560 --> 00:11:34,079 work as well--but let's do ICMP only. 258 00:11:34,079 --> 00:11:36,160 And now 259 00:11:36,160 --> 00:11:38,160 we want to assign this access list on 260 00:11:38,160 --> 00:11:40,880 the public interface. But remember, 261 00:11:40,880 --> 00:11:42,399 right now the interface doesn't have the 262 00:11:42,399 --> 00:11:44,160 access, which means once you assign this 263 00:11:44,160 --> 00:11:46,399 access list, you'll permit only the 264 00:11:46,399 --> 00:11:48,320 things you have in the access list. And 265 00:11:48,320 --> 00:11:51,040 in our case, that's only the ICMP packet 266 00:11:51,040 --> 00:11:52,480 coming from our computer going to 267 00:11:52,480 --> 00:11:55,120 Google. But for the rest of the users, 268 00:11:55,120 --> 00:11:57,279 we're going to break the Internet--well, if 269 00:11:57,279 --> 00:11:59,839 they have it already. So what we want to do 270 00:11:59,839 --> 00:12:02,480 is add permit any any at the end of 271 00:12:02,480 --> 00:12:03,964 the access list, 272 00:12:05,680 --> 00:12:07,839 which means if we assign this access 273 00:12:07,839 --> 00:12:10,399 list on the outbound interface 274 00:12:10,399 --> 00:12:12,639 for the outbound traffic, 275 00:12:12,639 --> 00:12:14,959 we'll get the match here, 276 00:12:14,959 --> 00:12:17,040 and hit count will increase if the 277 00:12:17,040 --> 00:12:19,519 packet leaves the router. And for the 278 00:12:19,519 --> 00:12:21,279 rest of the traffic--to not block them-- 279 00:12:21,279 --> 00:12:23,440 here's the permit ip any any. So let's 280 00:12:23,440 --> 00:12:27,519 go ahead and do: interface GigabitEthernet1, 281 00:12:27,519 --> 00:12:33,280 ip access-group outside-outbound out. 282 00:12:35,729 --> 00:12:39,360 And now--now you see there's a match 283 00:12:39,360 --> 00:12:41,360 on IP and ENA-- 284 00:12:41,360 --> 00:12:43,600 probably some kind of, you know, 285 00:12:43,600 --> 00:12:44,880 different traffic coming from the 286 00:12:44,880 --> 00:12:46,399 computer, checking the updates or 287 00:12:46,399 --> 00:12:47,920 something like that. Our traffic 288 00:12:47,920 --> 00:12:49,760 doesn't have the match. Let's generate 289 00:12:49,760 --> 00:12:52,639 the traffic on the computer. 290 00:12:52,639 --> 00:12:54,639 This is our traffic. 291 00:12:54,639 --> 00:12:56,142 One, 292 00:12:57,120 --> 00:12:58,619 two. 293 00:13:00,880 --> 00:13:01,920 Okay. 294 00:13:01,920 --> 00:13:04,240 And now let's check if we have the match 295 00:13:04,240 --> 00:13:06,070 on the access list. 296 00:13:07,680 --> 00:13:09,095 We don't. 297 00:13:10,800 --> 00:13:12,560 That's weird. 298 00:13:12,560 --> 00:13:15,519 Isn't our IP address-- 299 00:13:15,519 --> 00:13:19,279 oh, oh, I'm sorry. Guys, 300 00:13:19,279 --> 00:13:22,399 this is ridiculous. Remember, we translated 301 00:13:22,399 --> 00:13:25,200 traffic into a public IP, so there's no way 302 00:13:25,200 --> 00:13:28,480 to match the 192.168.1.10 303 00:13:28,480 --> 00:13:30,480 on the egress interface. So we want 304 00:13:30,480 --> 00:13:32,639 to do something else. 305 00:13:32,639 --> 00:13:35,851 Let's go ahead and, you know, fix that. 306 00:13:38,880 --> 00:13:40,399 We want to remove 307 00:13:40,399 --> 00:13:43,332 line 10 and add the new--new line: 308 00:13:44,639 --> 00:13:47,279 ip access-list extended ..., permit icmp host 309 00:13:47,279 --> 00:13:49,360 [our public IP address] host 8.8.8.8. What’s the public IP address of the 310 00:13:49,360 --> 00:13:56,800 router? It is 100.100, I believe. This is the IP address. 311 00:13:56,800 --> 00:14:00,746 And then we are going to ping Google DNS. 312 00:14:02,000 --> 00:14:04,641 Here's the access list. Now-- 313 00:14:06,800 --> 00:14:08,890 now we need to 314 00:14:10,480 --> 00:14:13,440 renumber this because it's incorrect. 315 00:14:13,440 --> 00:14:15,600 We want to have permit any any at the end. So: 316 00:14:15,600 --> 00:14:20,079 remove 20, permit ip any any. 317 00:14:20,959 --> 00:14:23,839 And now it's correct. Okay. Now let's ping and 318 00:14:23,839 --> 00:14:28,379 see if the packet leaves the router. 319 00:14:36,560 --> 00:14:39,839 We still don't have the match 320 00:14:39,839 --> 00:14:42,399 on the interface. Okay. Here's the match. 321 00:14:42,399 --> 00:14:44,720 I was like, what's going on? 322 00:14:44,720 --> 00:14:46,560 So we have a match, 323 00:14:46,560 --> 00:14:49,199 and that confirms two things-- 324 00:14:49,199 --> 00:14:51,279 not two, actually several: 325 00:14:51,279 --> 00:14:53,199 We have the working gateway for the 326 00:14:53,199 --> 00:14:56,800 Cisco router, so traffic can leave the interface. 327 00:14:56,800 --> 00:14:59,279 Because the match is for the public 328 00:14:59,279 --> 00:15:01,600 IP address, we also know that the traffic 329 00:15:01,600 --> 00:15:03,600 is being translated--so even if you 330 00:15:03,600 --> 00:15:05,600 didn’t check the IP NAT translation, this 331 00:15:05,600 --> 00:15:07,600 confirms that there was a translation 332 00:15:07,600 --> 00:15:09,760 and the private IP address is translated into a 333 00:15:09,760 --> 00:15:13,199 public IP address. And third, the 334 00:15:13,199 --> 00:15:15,120 packet leaves the router. 335 00:15:15,120 --> 00:15:16,880 Okay, now 336 00:15:16,880 --> 00:15:19,199 that's good--it leaves the router. But is it 337 00:15:19,199 --> 00:15:20,639 coming back? 338 00:15:20,639 --> 00:15:24,880 No. It might be coming back, or it might 339 00:15:24,880 --> 00:15:29,040 not be coming back--depends on the problems on the Internet. 340 00:15:29,040 --> 00:15:30,720 So since this video is about 341 00:15:30,720 --> 00:15:32,399 troubleshooting, let's make sure the 342 00:15:32,399 --> 00:15:34,399 traffic is coming back. 343 00:15:34,399 --> 00:15:36,880 And for that, we again can capture the 344 00:15:36,880 --> 00:15:38,959 traffic, or we can assign a similar 345 00:15:38,959 --> 00:15:41,900 access list on the inbound traffic. 346 00:15:44,959 --> 00:15:49,490 Extended--and that would be outside-inbound. 347 00:15:50,240 --> 00:15:53,120 And now what do we want to match here? 348 00:15:53,120 --> 00:15:55,600 We want to match Google DNS as a source 349 00:15:55,600 --> 00:15:57,199 because, remember, 350 00:15:57,199 --> 00:15:59,680 the answer is coming from Google now. 351 00:15:59,680 --> 00:16:01,920 And we want to set the 352 00:16:01,920 --> 00:16:04,639 destination to be our IP 353 00:16:04,639 --> 00:16:08,959 address on the public interface--on the outside interface. 354 00:16:08,959 --> 00:16:10,880 And the protocol is ICMP. 355 00:16:10,880 --> 00:16:12,320 Also, you can use 356 00:16:12,320 --> 00:16:14,800 echo-reply if you want-- 357 00:16:14,800 --> 00:16:18,552 not necessary for this purpose, but you can. 358 00:16:19,279 --> 00:16:22,399 Like, if you are troubleshooting with 359 00:16:22,399 --> 00:16:24,800 someone else on the other side and they 360 00:16:24,800 --> 00:16:26,959 are pinging your IP address as well, you 361 00:16:26,959 --> 00:16:28,880 might want to add echo-reply to make 362 00:16:28,880 --> 00:16:31,360 sure this is your reply and not their ping. 363 00:16:31,360 --> 00:16:33,759 But Google is not going to ping us, so 364 00:16:33,759 --> 00:16:36,969 it's okay to not put the echo-reply. 365 00:16:36,969 --> 00:16:42,160 Any ICMP we match here--we know it's our reply from Google DNS. 366 00:16:42,160 --> 00:16:44,639 And now let's permit ip any any because we 367 00:16:44,639 --> 00:16:47,580 don't want to block any other traffic on the interface. 368 00:16:47,580 --> 00:16:48,560 Because right now there's 369 00:16:48,560 --> 00:16:50,480 no access--again, there's no access 370 00:16:50,480 --> 00:16:52,720 list--and if we assign the access list, 371 00:16:52,720 --> 00:16:55,040 we'll block everything that is not 372 00:16:55,040 --> 00:16:57,279 permitted on the access list. 373 00:16:57,279 --> 00:16:59,920 So let's go ahead and configure the 374 00:16:59,920 --> 00:17:04,480 Ethernet--GigabitEthernet1: 375 00:17:04,480 --> 00:17:08,799 ip access-group [access list name] 376 00:17:08,799 --> 00:17:09,919 and 377 00:17:09,919 --> 00:17:12,000 here we use inbound. 378 00:17:12,000 --> 00:17:13,600 Okay. In. 379 00:17:13,600 --> 00:17:15,360 Now 380 00:17:15,360 --> 00:17:18,000 let's check what match we have on the 381 00:17:18,000 --> 00:17:21,600 interface for inbound traffic. 382 00:17:21,600 --> 00:17:24,177 Is there any reply from Google? 383 00:17:30,720 --> 00:17:32,960 And there is a reply. 384 00:17:32,960 --> 00:17:35,600 So we know now that the traffic not only 385 00:17:35,600 --> 00:17:37,760 leaves the router, but it's also coming 386 00:17:37,760 --> 00:17:40,160 back from Google. So the Internet in between-- 387 00:17:40,160 --> 00:17:43,440 Google DNS and our ISP--is okay. We 388 00:17:43,440 --> 00:17:45,440 received the traffic, but the 389 00:17:45,440 --> 00:17:47,760 computer still cannot ping that. 390 00:17:47,760 --> 00:17:49,200 How come? 391 00:17:49,200 --> 00:17:51,919 We need the ping on the computer. 392 00:17:51,919 --> 00:17:54,160 So what else is left? 393 00:17:54,160 --> 00:17:56,720 When traffic comes back 394 00:17:56,720 --> 00:17:58,000 to the router-- 395 00:17:58,000 --> 00:18:00,057 let me try to draw it here. 396 00:18:07,679 --> 00:18:09,039 When traffic 397 00:18:09,039 --> 00:18:11,919 leaves, okay, we have this traffic. 398 00:18:11,919 --> 00:18:14,480 It left the router, 399 00:18:14,480 --> 00:18:17,840 went to the ISP--not ISP, Google DNS-- 400 00:18:17,840 --> 00:18:20,000 and came back. And it comes here. We 401 00:18:20,000 --> 00:18:23,360 have this match on this interface. Now 402 00:18:23,360 --> 00:18:25,679 what's supposed to happen? Well, NAT will 403 00:18:25,679 --> 00:18:28,080 catch the traffic, will check the port 404 00:18:28,080 --> 00:18:30,160 translations, and will figure out--okay, 405 00:18:30,160 --> 00:18:32,320 that's the returning traffic for this 406 00:18:32,320 --> 00:18:33,760 ping. The guy's pinging from the 407 00:18:33,760 --> 00:18:38,400 Windows 7 machine. And now this packet--sorry-- 408 00:18:38,400 --> 00:18:40,320 now this packet is supposed to leave this 409 00:18:40,320 --> 00:18:42,400 interface, 410 00:18:42,400 --> 00:18:46,620 okay, to be delivered to the computer. 411 00:18:46,620 --> 00:18:49,679 And let's make sure that is happening. 412 00:18:49,679 --> 00:18:51,200 For that, 413 00:18:51,200 --> 00:18:53,505 what we are going to do is... 414 00:18:54,320 --> 00:18:55,766 we are-- 415 00:18:58,559 --> 00:19:00,400 for that, we are going to check if the 416 00:19:00,400 --> 00:19:03,200 traffic leaves the Cisco router. 417 00:19:03,200 --> 00:19:05,600 Again, this is the same as we did on the 418 00:19:05,600 --> 00:19:07,200 outside interface. You can capture 419 00:19:07,200 --> 00:19:08,880 traffic if you know how to capture. If 420 00:19:08,880 --> 00:19:11,360 not, you can assign the interface on the 421 00:19:11,360 --> 00:19:13,440 address. Let's first make sure there is 422 00:19:13,440 --> 00:19:15,803 no access list on the router. 423 00:19:19,039 --> 00:19:21,195 And let's do out. 424 00:19:22,400 --> 00:19:25,360 There is an access list. Okay. 425 00:19:25,360 --> 00:19:28,360 Now, let's check what this access list has in it. 426 00:19:30,799 --> 00:19:33,520 Does it have any match? 427 00:19:33,520 --> 00:19:36,799 It doesn't. But look at this-- 428 00:19:36,799 --> 00:19:39,280 this subnet is not what we are expecting 429 00:19:39,280 --> 00:19:43,280 to have because, remember, our subnet is 430 00:19:43,280 --> 00:19:46,080 192.168.0.1, 431 00:19:46,080 --> 00:19:49,200 and here we see 2. So again, the subnet 432 00:19:49,200 --> 00:19:51,120 on the access list is wrong. 433 00:19:51,120 --> 00:19:53,084 Let's try and fix that. 434 00:20:06,559 --> 00:20:08,640 Now it's correct. 435 00:20:08,640 --> 00:20:12,080 So remember, the traffic leaves the router. 436 00:20:12,080 --> 00:20:15,520 So the source here is gonna be any--in 437 00:20:15,520 --> 00:20:17,600 our case, it's Google DNS--and the destination 438 00:20:17,600 --> 00:20:20,400 is our computer. So the access list order, 439 00:20:20,400 --> 00:20:23,360 like from any to subnet, is correct. 440 00:20:23,360 --> 00:20:26,400 And let's see if we can finally ping it. 441 00:20:29,200 --> 00:20:31,280 We still cannot ping it. 442 00:20:31,280 --> 00:20:32,320 Wow. 443 00:20:32,320 --> 00:20:34,400 Let's see what's going on. 444 00:20:34,400 --> 00:20:36,479 Is it leaving the interface? 445 00:20:41,440 --> 00:20:44,159 It is--actually, my bad. 446 00:20:44,159 --> 00:20:46,320 I did 2 again. 447 00:20:46,799 --> 00:20:49,919 Okay, this is wrong. 448 00:20:52,799 --> 00:20:55,735 This is what happens when you rush. 449 00:20:57,360 --> 00:20:59,520 And 450 00:20:59,520 --> 00:21:02,000 actually--10. 451 00:21:02,000 --> 00:21:06,799 And then we need to do 1. 452 00:21:06,799 --> 00:21:09,520 Yeah. Once you remove all lines from 453 00:21:09,520 --> 00:21:11,120 the access list, that access list doesn't work 454 00:21:11,120 --> 00:21:13,200 anymore. So there's no deny any any at the 455 00:21:13,200 --> 00:21:16,080 end if there's no line in the access list. 456 00:21:16,080 --> 00:21:19,360 So as soon as we removed 10, we started 457 00:21:19,360 --> 00:21:21,679 pinging. And then we added the 458 00:21:21,679 --> 00:21:23,760 correct line here, 459 00:21:23,760 --> 00:21:25,810 and we can still ping it. 460 00:21:26,960 --> 00:21:29,120 And we have hit counts. 461 00:21:29,120 --> 00:21:33,840 So this is how you troubleshoot a simple, basic Cisco network. 462 00:21:33,840 --> 00:21:35,679 Not only Cisco networks--pretty much any 463 00:21:35,679 --> 00:21:38,000 network. You need to know what you're 464 00:21:38,000 --> 00:21:41,039 troubleshooting. You need to know how traffic goes, 465 00:21:41,039 --> 00:21:42,559 what gateway you're supposed to have on 466 00:21:42,559 --> 00:21:44,400 the computer. You need to know all the 467 00:21:44,400 --> 00:21:46,559 things to troubleshoot, and 468 00:21:46,559 --> 00:21:49,039 after several months or years, you'll 469 00:21:49,039 --> 00:21:50,880 have enough experience to skip some 470 00:21:50,880 --> 00:21:52,559 of the steps. For example, you might know 471 00:21:52,559 --> 00:21:54,400 the gateway 472 00:21:54,400 --> 00:21:56,880 on the router is correct because you 473 00:21:56,880 --> 00:21:58,880 connected to the router remotely and 474 00:21:58,880 --> 00:22:01,039 from the Internet, so the router most 475 00:22:01,039 --> 00:22:03,520 likely has the default gateway. Or you 476 00:22:03,520 --> 00:22:05,039 might know that 477 00:22:05,039 --> 00:22:07,520 the access list is not supposed to be checked 478 00:22:07,520 --> 00:22:09,280 on the inside device because the user told 479 00:22:09,280 --> 00:22:14,400 you that they can ping the IP address of the gateway. 480 00:22:14,400 --> 00:22:17,120 So many, many things can be skipped based 481 00:22:17,120 --> 00:22:19,360 on your experience. But this is from 482 00:22:19,360 --> 00:22:21,760 starting to the end. You check from the 483 00:22:21,760 --> 00:22:24,159 beginning where you have the problem. You 484 00:22:24,159 --> 00:22:26,559 don't check at the end if the Cisco has 485 00:22:26,559 --> 00:22:28,400 the Internet. First, you make sure you 486 00:22:28,400 --> 00:22:31,840 have everything you need to leave the 487 00:22:31,840 --> 00:22:34,640 area--to leave the subnet. Now, let's see 488 00:22:34,640 --> 00:22:38,880 if we can ping Google--the actual Google website-- 489 00:22:38,880 --> 00:22:40,960 directly using DNS. 490 00:22:40,960 --> 00:22:43,360 And we can ping. So if I go 491 00:22:43,360 --> 00:22:47,760 on a browser here, it'll try to open the Google website. 492 00:22:47,760 --> 00:22:49,870 I should be able to open it. 493 00:22:52,000 --> 00:22:53,440 And sure enough, 494 00:22:53,440 --> 00:22:57,187 I can open it. And it works. Perfect. 495 00:22:57,840 --> 00:23:00,480 I hope this was useful for you guys, and 496 00:23:00,480 --> 00:23:02,400 at some point, you'll use it. 497 00:23:02,400 --> 00:23:03,520 That's it. 498 00:23:03,520 --> 00:23:05,600 So guys, if you like these videos, please 499 00:23:05,600 --> 00:23:07,760 like the video and hit the subscribe 500 00:23:07,760 --> 00:23:09,840 button if you want to see more videos 501 00:23:09,840 --> 00:23:12,320 like this. Also, I'm looking for ideas on 502 00:23:12,320 --> 00:23:14,080 what kind of videos to create. So if you 503 00:23:14,080 --> 00:23:16,000 have any idea and you're looking for 504 00:23:16,000 --> 00:23:18,559 some kind of configuration on the Cisco 505 00:23:18,559 --> 00:23:21,360 or similar network, you can put in the 506 00:23:21,360 --> 00:23:23,120 comments what you want to see in the 507 00:23:23,120 --> 00:23:26,677 next video. Thanks for watching, and have a good one.