Hello, guys. Welcome back. My name is David, and today we are going to troubleshoot the Symposium Cisco network. So what I mean is I have one computer and one router. This router was configured to pass the traffic to translate this traffic into a public IP so the computer can serve the Internet. Now, what I did, I broke the configuration in several places, and we are going to start from the beginning to the end. We'll find all the problems and try to fix them. Stay with me. [Music]. Okay. Let's start. This is my computer. This computer is supposed to have the IP address and DNS IP address, right? And the gateway, of course. Then traffic comes here on the Cisco router, and then from the router, it goes to the Internet. But here, we need to do NAT, right? Network Address Translation. So let's start and find all the problems I caused in the configuration. So, in order for the traffic to leave the computer, the computer is supposed to have the IP address. Let's make sure the computer has the IP address. And when we say, “Let’s make sure the computer has the IP address,” let's test the actual status of the IP address, not the configuration. And what I mean by that is you can go into a configuration and make sure the configuration is there by clicking this button, but that's not the way I want you to test it. I want to test the actual status of the configuration. That means you can either click here, “Details,” or in the CLI. Now, what's the difference, you might say? The difference is that sometimes, when you configure the IP address, Windows is not taking this IP address for some reason. There can be many, many reasons, but the configuration doesn't always work. So when you check the configuration on the IP address, it's not necessarily the case that the computer is using that IP address. So what we're going to do, we want to check the actual status of this configuration. Okay. So let's see what we have. We have the IP address here, as you can see, and we have the gateway. So we know the IP address is there, and probably the IP address works. We can ping the IP address itself, and yes, well, the IP stack, the TCP/IP stack, works on the computer. That's good. So now let's test the gateway and make sure the gateway works. Here's the gateway, and we want to ping that gateway to make sure the gateway is on the network. Now, you might already see that the gateway is .1 on the topology, so the gateway is wrong, but let's try and ping it. Ping 192.168.1.254, and the gateway is not pingable. And how do--let's say we don't know if the gateway is correct or not, or we know the gateway is correct, but we are not sure why we can't ping it. Ping could be closed. Nobody closed ICMP on the gateway, but let's say it's closed. You want to make sure the gateway is on the network, and for that, we can check the ARP. Let's go ahead on the Windows machine and type arp -a, and this will show you the ARP cache and, you know, the IP address mapped to the MAC address. So let's see if we have 254 here in the ARP cache--and we don't have it. But we have .1, and let's try and ping it--.1. It's not pingable. That's weird. But, well, at least we know it's .1, but let's go ahead and change that one. You know what? We have the Cisco router, and we have the interface G3--Gigabit Ethernet 3--and let's see what's the IP address on the interface. Show run--not sure--show interface G3-- address. And as you can see, this is the IP address of the Cisco router. So yes, the computer is supposed to have .1 as a gateway, not 254. So let's go ahead and fix that on the computer. We are one step closer to fixing the problem. And let's do .1. Now remember, .1 wasn't pingable from the computer, and we want to find out why we cannot ping it. Should it be pingable? Should it not? Let's go ahead and check if there's any access list on the Cisco router on the inside interface. Show run inside interface Gigabit 3/3, and | include for the inbound. And sure, there is an access list. Let's check what's inside. Okay, we have permit ip 192.168.3. Okay. And /24. So the access list is not permitting our traffic coming from the computer because, remember, our IP address or subnet on the computer is 192.168.1.-- not 3, but 1--on the third octet. And the access list on the Cisco router is not having this .1. So let's go ahead and fix that. We need to go into the access list-- extended-- inside inbound. And, you know, we know for sure that there is not supposed to be the 3 network on this LAN, right? So it's okay to remove this IP address and fix that. Node 20, and then permit ip 192.168.1.0 0.0.0.255 any. Okay. Now it looks great. Let's see if we can ping the router. Okay. We can ping the router. Great. Now let's check--do we have the Internet? And no, we don't. Okay. Let's see what else we are missing here. Do we have the route? No. Actually, let's make sure the Cisco router has the Internet. Ping 8.8.8.8. Cisco router doesn't have the Internet. Let's fix that. So what do you need on the router to have the Internet? You need the IP address, you need the next hop, which is that .1, and you need a connection between ISP and the router. Let's check what is the interface on the Gigabit1, and what is the IP address here? Okay, that's great. Now, what's the gateway? Show ip route. And our gateway is .3. But remember, our ISP has .1, not .3. So let's go ahead and fix that too. Here's my route, which I need to remove and add the new one. Now remember, if you just add the route, you'll have two routes. It's not going to replace--even though it has the same destination. It's not going to replace. So you want to remove the old route and add the new one. Okay. Now we have the route in the routing table--proper route. Now let's see if we can ping Google. Ping Google from the Cisco router. Okay. Cisco router has the Internet. Now let's come back to the computer and see if the computer also has the Internet. Well, no. Computer doesn't have the Internet. Okay. Let's think. What do we need to do? What do we need to have on the Cisco router to allow Internet access from the computer so the computer can serve Internet sites--websites? Okay? So first, the computer has the private IP address. You see? And the Cisco router external interface is the public IP address. So we want to translate our private IP subnet into a public IP address of the router. And for that, we need to do the NAT. And let's make sure we have the NAT translations on the Cisco router. So let's go ahead and try to ping-- actually, it does not-- let's ping and come back here and see if we have NAT translations. And we have some NAT translations, which are not our Google IP addresses. So let's clear up: clear ip nat translation * dynamic I believe here. No. Just everything. Okay. Show ip nat translations. We don't have new translations. That means the Cisco router is not translating our traffic from the private subnet into the public IP. And let's troubleshoot that. We need to have the configuration for that, right? So let's go ahead and do this: show run interface Gigabit3. And does it have the NAT configuration on the Gigabit3? It does. And it has no IP NAT inside. That's great. Now, the inside interface is supposed to have IP NAT inside. The outside interface, though, is supposed to have IP NAT outside. Let's check that. Oh, the outside interface doesn't have IP NAT outside at all. So let's go ahead and configure that-- IP NAT outside. And now we've fixed NAT, well, at least partially, on the Cisco router. Now we know that the inside interface and outside interface-- they both have NAT configuration on them. Let's go ahead and check IP NAT translation again. Alright. We have some traffic here. This is our IP address, right? Right? And this is what we are trying to ping. And this is the ICMP protocol, and this is the IP address we are translated into. So if we check this IP address on the interface, that's our IP address. We know that the Cisco router translates the packet into a public IP. Now what we need to do is--we know traffic comes here on the router, it's translated, and we need to make sure traffic can leave the interface. Now, how do we check that? Well, usually, if you have the route and there is no restriction on the interface, traffic leaves the interface. So let's go ahead and check that. Do we have any access list? We don't. But do we want to put the access list to make sure traffic leaves the interface? You know, you can use, probably, packet capture--if you know how to do that. But if not, what you can do is do a quick configuration--show IP access list extended, for example, and match our traffic. In our case, let's say outside ISP is going to be--no--untold. Outside outbound-- that's the access list name. And permit our traffic. What is our traffic? IP host 192.168.0.10.1 into Google DNS. And we want it to be ICMP--but IP will work as well--but let's do ICMP only. And now we want to assign this access list on the public interface. But remember, right now the interface doesn't have the access, which means once you assign this access list, you'll permit only the things you have in the access list. And in our case, that's only the ICMP packet coming from our computer going to Google. But for the rest of the users, we're going to break the Internet--well, if they have it already. So what we want to do is add permit any any at the end of the access list, which means if we assign this access list on the outbound interface for the outbound traffic, we'll get the match here, and hit count will increase if the packet leaves the router. And for the rest of the traffic--to not block them-- here's the permit ip any any. So let's go ahead and do: interface GigabitEthernet1, ip access-group outside-outbound out. And now--now you see there's a match on IP and ENA-- probably some kind of, you know, different traffic coming from the computer, checking the updates or something like that. Our traffic doesn't have the match. Let's generate the traffic on the computer. This is our traffic. One, two. Okay. And now let's check if we have the match on the access list. We don't. That's weird. Isn't our IP address-- oh, oh, I'm sorry. Guys, this is ridiculous. Remember, we translated traffic into a public IP, so there's no way to match the 192.168.1.10 on the egress interface. So we want to do something else. Let's go ahead and, you know, fix that. We want to remove line 10 and add the new--new line: ip access-list extended ..., permit icmp host [our public IP address] host 8.8.8.8. What’s the public IP address of the router? It is 100.100, I believe. This is the IP address. And then we are going to ping Google DNS. Here's the access list. Now-- now we need to renumber this because it's incorrect. We want to have permit any any at the end. So: remove 20, permit ip any any. And now it's correct. Okay. Now let's ping and see if the packet leaves the router. We still don't have the match on the interface. Okay. Here's the match. I was like, what's going on? So we have a match, and that confirms two things-- not two, actually several: We have the working gateway for the Cisco router, so traffic can leave the interface. Because the match is for the public IP address, we also know that the traffic is being translated--so even if you didn’t check the IP NAT translation, this confirms that there was a translation and the private IP address is translated into a public IP address. And third, the packet leaves the router. Okay, now that's good--it leaves the router. But is it coming back? No. It might be coming back, or it might not be coming back--depends on the problems on the Internet. So since this video is about troubleshooting, let's make sure the traffic is coming back. And for that, we again can capture the traffic, or we can assign a similar access list on the inbound traffic. Extended--and that would be outside-inbound. And now what do we want to match here? We want to match Google DNS as a source because, remember, the answer is coming from Google now. And we want to set the destination to be our IP address on the public interface--on the outside interface. And the protocol is ICMP. Also, you can use echo-reply if you want-- not necessary for this purpose, but you can. Like, if you are troubleshooting with someone else on the other side and they are pinging your IP address as well, you might want to add echo-reply to make sure this is your reply and not their ping. But Google is not going to ping us, so it's okay to not put the echo-reply. Any ICMP we match here--we know it's our reply from Google DNS. And now let's permit ip any any because we don't want to block any other traffic on the interface. Because right now there's no access--again, there's no access list--and if we assign the access list, we'll block everything that is not permitted on the access list. So let's go ahead and configure the Ethernet--GigabitEthernet1: ip access-group [access list name] and here we use inbound. Okay. In. Now let's check what match we have on the interface for inbound traffic. Is there any reply from Google? And there is a reply. So we know now that the traffic not only leaves the router, but it's also coming back from Google. So the Internet in between-- Google DNS and our ISP--is okay. We received the traffic, but the computer still cannot ping that. How come? We need the ping on the computer. So what else is left? When traffic comes back to the router-- let me try to draw it here. When traffic leaves, okay, we have this traffic. It left the router, went to the ISP--not ISP, Google DNS-- and came back. And it comes here. We have this match on this interface. Now what's supposed to happen? Well, NAT will catch the traffic, will check the port translations, and will figure out--okay, that's the returning traffic for this ping. The guy's pinging from the Windows 7 machine. And now this packet--sorry-- now this packet is supposed to leave this interface, okay, to be delivered to the computer. And let's make sure that is happening. For that, what we are going to do is... we are-- for that, we are going to check if the traffic leaves the Cisco router. Again, this is the same as we did on the outside interface. You can capture traffic if you know how to capture. If not, you can assign the interface on the address. Let's first make sure there is no access list on the router. And let's do out. There is an access list. Okay. Now, let's check what this access list has in it. Does it have any match? It doesn't. But look at this-- this subnet is not what we are expecting to have because, remember, our subnet is 192.168.0.1, and here we see 2. So again, the subnet on the access list is wrong. Let's try and fix that. Now it's correct. So remember, the traffic leaves the router. So the source here is gonna be any--in our case, it's Google DNS--and the destination is our computer. So the access list order, like from any to subnet, is correct. And let's see if we can finally ping it. We still cannot ping it. Wow. Let's see what's going on. Is it leaving the interface? It is--actually, my bad. I did 2 again. Okay, this is wrong. This is what happens when you rush. And actually--10. And then we need to do 1. Yeah. Once you remove all lines from the access list, that access list doesn't work anymore. So there's no deny any any at the end if there's no line in the access list. So as soon as we removed 10, we started pinging. And then we added the correct line here, and we can still ping it. And we have hit counts. So this is how you troubleshoot a simple, basic Cisco network. Not only Cisco networks--pretty much any network. You need to know what you're troubleshooting. You need to know how traffic goes, what gateway you're supposed to have on the computer. You need to know all the things to troubleshoot, and after several months or years, you'll have enough experience to skip some of the steps. For example, you might know the gateway on the router is correct because you connected to the router remotely and from the Internet, so the router most likely has the default gateway. Or you might know that the access list is not supposed to be checked on the inside device because the user told you that they can ping the IP address of the gateway. So many, many things can be skipped based on your experience. But this is from starting to the end. You check from the beginning where you have the problem. You don't check at the end if the Cisco has the Internet. First, you make sure you have everything you need to leave the area--to leave the subnet. Now, let's see if we can ping Google--the actual Google website-- directly using DNS. And we can ping. So if I go on a browser here, it'll try to open the Google website. I should be able to open it. And sure enough, I can open it. And it works. Perfect. I hope this was useful for you guys, and at some point, you'll use it. That's it. So guys, if you like these videos, please like the video and hit the subscribe button if you want to see more videos like this. Also, I'm looking for ideas on what kind of videos to create. So if you have any idea and you're looking for some kind of configuration on the Cisco or similar network, you can put in the comments what you want to see in the next video. Thanks for watching, and have a good one.