WEBVTT 00:00:01.040 --> 00:00:03.199 Hello, guys. Welcome back. My name is David, 00:00:03.199 --> 00:00:04.799 and today we are going to troubleshoot the 00:00:04.799 --> 00:00:07.839 Symposium Cisco network. So what I mean is I 00:00:07.839 --> 00:00:10.480 have one computer and one router. 00:00:10.480 --> 00:00:12.559 This router was configured to pass the 00:00:12.559 --> 00:00:14.880 traffic to translate this traffic into a 00:00:14.880 --> 00:00:17.760 public IP so the computer can serve the 00:00:17.760 --> 00:00:19.760 Internet. Now, what I did, I broke the 00:00:19.760 --> 00:00:21.840 configuration in several places, and we 00:00:21.840 --> 00:00:24.480 are going to start from the beginning to the 00:00:24.480 --> 00:00:26.800 end. We'll find all the problems and try 00:00:26.800 --> 00:00:28.911 to fix them. Stay with me. 00:00:28.911 --> 00:00:32.399 [Music]. 00:00:32.399 --> 00:00:35.520 Okay. Let's start. This is my computer. 00:00:35.520 --> 00:00:37.120 This computer is supposed to have the IP 00:00:37.120 --> 00:00:39.840 address and DNS IP address, right? And the 00:00:39.840 --> 00:00:41.760 gateway, of course. Then traffic comes 00:00:41.760 --> 00:00:44.079 here on the Cisco router, and then from 00:00:44.079 --> 00:00:46.079 the router, it goes to the Internet. 00:00:46.079 --> 00:00:49.600 But here, we need to do NAT, right? Network Address 00:00:49.600 --> 00:00:52.960 Translation. So let's start and find all 00:00:52.960 --> 00:00:56.160 the problems I caused in the configuration. 00:00:56.160 --> 00:00:58.719 So, in order for the traffic to leave the 00:00:58.719 --> 00:01:00.719 computer, the computer is supposed to have 00:01:00.719 --> 00:01:02.640 the IP address. Let's make sure the computer 00:01:02.640 --> 00:01:04.240 has the IP address. 00:01:06.400 --> 00:01:08.960 And when we say, “Let’s make sure the computer 00:01:08.960 --> 00:01:11.520 has the IP address,” 00:01:11.520 --> 00:01:14.799 let's test the actual status of the IP 00:01:14.799 --> 00:01:16.799 address, not the configuration. And what I 00:01:16.799 --> 00:01:18.560 mean by that is 00:01:18.560 --> 00:01:20.960 you can go into a configuration and make 00:01:20.960 --> 00:01:22.799 sure the configuration is there by 00:01:22.799 --> 00:01:24.400 clicking this button, 00:01:24.400 --> 00:01:27.290 but that's not the way I want you to test it. 00:01:27.290 --> 00:01:28.560 I want to test 00:01:28.560 --> 00:01:30.640 the actual status of the configuration. 00:01:30.640 --> 00:01:32.799 That means you can either click here, 00:01:32.799 --> 00:01:36.079 “Details,” or in the CLI. 00:01:36.079 --> 00:01:37.759 Now, what's the difference, you might say? 00:01:37.759 --> 00:01:39.759 The difference is that sometimes, when 00:01:39.759 --> 00:01:41.680 you configure the IP address, Windows is 00:01:41.680 --> 00:01:44.799 not taking this IP address for some reason. 00:01:44.799 --> 00:01:47.040 There can be many, many reasons, but the 00:01:47.040 --> 00:01:49.600 configuration doesn't always work. So 00:01:49.600 --> 00:01:51.119 when you check the configuration on the 00:01:51.119 --> 00:01:53.119 IP address, it's not necessarily the case that the 00:01:53.119 --> 00:01:55.119 computer is using that IP address. So what we're 00:01:55.119 --> 00:01:56.960 going to do, we want to check the actual 00:01:56.960 --> 00:01:59.920 status of this configuration. Okay. So 00:01:59.920 --> 00:02:02.079 let's see what we have. We have the IP 00:02:02.079 --> 00:02:04.159 address here, as you can see, 00:02:04.159 --> 00:02:06.159 and we have the gateway. So we know the 00:02:06.159 --> 00:02:08.399 IP address is there, and probably the 00:02:08.399 --> 00:02:12.200 IP address works. We can ping the IP address itself, 00:02:12.200 --> 00:02:18.010 and yes, well, the IP stack, the TCP/IP stack, works on the computer. 00:02:18.010 --> 00:02:19.280 That's good. So now let's test 00:02:19.280 --> 00:02:21.280 the gateway and make sure the gateway works. 00:02:21.280 --> 00:02:22.879 Here's the gateway, 00:02:22.879 --> 00:02:25.200 and we want to ping that gateway to make 00:02:25.200 --> 00:02:28.400 sure the gateway is on the network. 00:02:28.400 --> 00:02:30.480 Now, you might already see that the gateway 00:02:30.480 --> 00:02:32.720 is .1 on the topology, so the 00:02:32.720 --> 00:02:35.440 gateway is wrong, but let's try and ping it. 00:02:35.440 --> 00:02:39.519 Ping 192.168.1.254, 00:02:39.519 --> 00:02:42.000 and the gateway is not pingable. And how 00:02:42.000 --> 00:02:43.840 do--let's say we don't know if the 00:02:43.840 --> 00:02:45.680 gateway is correct or not, 00:02:45.680 --> 00:02:47.840 or we know the gateway is correct, but we 00:02:47.840 --> 00:02:50.560 are not sure why we can't ping it. Ping 00:02:50.560 --> 00:02:53.200 could be closed. Nobody closed ICMP 00:02:53.200 --> 00:02:55.280 on the gateway, but let's say it's closed. 00:02:55.280 --> 00:02:57.519 You want to make sure the gateway is on 00:02:57.519 --> 00:03:00.190 the network, and for that, we can check the ARP. 00:03:00.190 --> 00:03:01.680 Let's go ahead on the Windows 00:03:01.680 --> 00:03:05.040 machine and type arp -a, 00:03:05.040 --> 00:03:06.800 and this will show you the ARP cache and, you 00:03:06.800 --> 00:03:08.640 know, the IP address mapped to the MAC address. 00:03:08.640 --> 00:03:11.599 So let's see if we have 254 here in the 00:03:11.599 --> 00:03:14.080 ARP cache--and we don't have it. 00:03:14.080 --> 00:03:16.640 But we have .1, 00:03:16.640 --> 00:03:19.246 and let's try and ping it--.1. 00:03:21.680 --> 00:03:24.959 It's not pingable. That's weird. But, well, 00:03:24.959 --> 00:03:26.799 at least we know it's .1, but let's 00:03:26.799 --> 00:03:29.599 go ahead and change that one. 00:03:29.599 --> 00:03:31.680 You know what? We have the Cisco router, 00:03:31.680 --> 00:03:34.560 and we have the interface G3--Gigabit Ethernet 3--and 00:03:34.560 --> 00:03:37.200 let's see what's the IP address on the interface. 00:03:37.200 --> 00:03:38.319 Show 00:03:38.319 --> 00:03:42.239 run--not sure--show interface G3-- 00:03:42.799 --> 00:03:43.698 address. 00:03:45.120 --> 00:03:47.840 And as you can see, this is the IP 00:03:47.840 --> 00:03:49.040 address 00:03:49.040 --> 00:03:52.239 of the Cisco router. So yes, the computer 00:03:52.239 --> 00:03:56.320 is supposed to have .1 as a gateway, not 254. 00:03:56.640 --> 00:03:59.800 So let's go ahead and fix that on the computer. 00:03:59.800 --> 00:04:05.670 We are one step closer to fixing the problem. 00:04:06.239 --> 00:04:08.480 And let's do .1. 00:04:08.480 --> 00:04:10.319 Now 00:04:10.319 --> 00:04:13.439 remember, .1 wasn't pingable from 00:04:13.439 --> 00:04:15.040 the computer, 00:04:15.040 --> 00:04:17.040 and we want to find out why we cannot 00:04:17.040 --> 00:04:19.600 ping it. Should it be pingable? Should it not? 00:04:19.600 --> 00:04:22.000 Let's go ahead and check if there's 00:04:22.000 --> 00:04:25.280 any access list on the Cisco router 00:04:25.280 --> 00:04:28.650 on the inside interface. Show run 00:04:30.479 --> 00:04:34.960 inside interface Gigabit 3/3, and | include for 00:04:34.960 --> 00:04:38.360 the inbound. And sure, there is an access list. 00:04:38.360 --> 00:04:40.619 Let's check what's inside. 00:04:42.080 --> 00:04:47.040 Okay, we have permit ip 192.168.3. 00:04:47.040 --> 00:04:48.000 Okay. 00:04:48.000 --> 00:04:50.080 And /24. 00:04:50.080 --> 00:04:53.520 So the access list is not permitting our 00:04:53.520 --> 00:04:55.440 traffic coming from the computer because, 00:04:55.440 --> 00:04:58.160 remember, our IP address or subnet on 00:04:58.160 --> 00:05:02.639 the computer is 192.168.1.-- 00:05:02.639 --> 00:05:05.759 not 3, but 1--on the third octet. And the 00:05:05.759 --> 00:05:10.130 access list on the Cisco router is not having this .1. 00:05:10.130 --> 00:05:12.494 So let's go ahead and fix that. 00:05:14.160 --> 00:05:16.639 We need to go into the access list-- 00:05:16.639 --> 00:05:18.000 extended-- 00:05:18.000 --> 00:05:21.120 inside inbound. And, you know, we know 00:05:21.120 --> 00:05:23.199 for sure that there is not 00:05:23.199 --> 00:05:25.199 supposed to be the 3 00:05:25.199 --> 00:05:27.680 network on this LAN, right? So it's okay 00:05:27.680 --> 00:05:30.685 to remove this IP address and fix that. 00:05:31.840 --> 00:05:42.360 Node 20, and then permit ip 192.168.1.0 0.0.0.255 any. 00:05:42.360 --> 00:05:43.680 Okay. 00:05:43.680 --> 00:05:45.600 Now it looks great. 00:05:45.600 --> 00:05:47.999 Let's see if we can ping the router. 00:05:55.600 --> 00:05:57.759 Okay. We can ping the router. 00:05:57.759 --> 00:06:01.738 Great. Now let's check--do we have the Internet? 00:06:03.360 --> 00:06:07.039 And no, we don't. Okay. 00:06:07.039 --> 00:06:08.319 Let's see 00:06:08.319 --> 00:06:10.800 what else we are missing here. Do we have 00:06:10.800 --> 00:06:12.294 the route? 00:06:13.360 --> 00:06:16.240 No. Actually, let's make sure the Cisco 00:06:16.240 --> 00:06:20.049 router has the Internet. Ping 8.8.8.8. 00:06:20.049 --> 00:06:21.120 Cisco router 00:06:21.120 --> 00:06:23.840 doesn't have the Internet. Let's fix that. 00:06:23.840 --> 00:06:25.919 So what do you need on the router to 00:06:25.919 --> 00:06:27.680 have the Internet? You need the IP 00:06:27.680 --> 00:06:29.440 address, you need the next hop, which is 00:06:29.440 --> 00:06:31.600 that .1, and you need a connection between 00:06:31.600 --> 00:06:33.520 ISP and the router. 00:06:33.520 --> 00:06:35.759 Let's check what is the interface on the 00:06:35.759 --> 00:06:37.600 Gigabit1, 00:06:37.600 --> 00:06:40.599 and what is the IP address here? 00:06:46.080 --> 00:06:47.039 Okay, 00:06:47.039 --> 00:06:49.120 that's great. Now, what's the gateway? Show 00:06:49.120 --> 00:06:51.199 ip route. 00:06:51.199 --> 00:06:53.840 And our gateway is .3. 00:06:53.840 --> 00:06:54.960 But remember, 00:06:54.960 --> 00:06:57.360 our ISP has .1, not .3. So 00:06:57.360 --> 00:06:59.840 let's go ahead and fix that too. 00:06:59.840 --> 00:07:02.479 Here's my route, which I need to remove 00:07:02.479 --> 00:07:04.553 and add the new one. 00:07:05.440 --> 00:07:07.680 Now remember, if you just add the route, 00:07:07.680 --> 00:07:09.599 you'll have two routes. It's not going to 00:07:09.599 --> 00:07:12.169 replace--even though it has the same destination. 00:07:12.169 --> 00:07:13.599 It's not going to replace. So 00:07:13.599 --> 00:07:17.650 you want to remove the old route and add the new one. 00:07:20.319 --> 00:07:23.199 Okay. Now we have the route in the 00:07:23.199 --> 00:07:25.280 routing table--proper route. Now let's see if we 00:07:25.280 --> 00:07:28.319 can ping Google. Ping Google 00:07:28.319 --> 00:07:30.000 from the Cisco router. 00:07:30.000 --> 00:07:31.039 Okay. 00:07:31.039 --> 00:07:33.039 Cisco router has the Internet. Now let's 00:07:33.039 --> 00:07:35.039 come back to the computer and see 00:07:35.039 --> 00:07:38.479 if the computer also has the Internet. 00:07:38.479 --> 00:07:42.319 Well, no. Computer doesn't have the Internet. Okay. 00:07:42.319 --> 00:07:45.280 Let's think. What do we need to do? 00:07:45.280 --> 00:07:47.680 What do we need to have on the Cisco router 00:07:47.680 --> 00:07:50.240 to allow Internet access from 00:07:50.240 --> 00:07:52.160 the computer 00:07:52.160 --> 00:07:53.840 so the computer can serve Internet 00:07:53.840 --> 00:07:56.720 sites--websites? Okay? So first, 00:07:56.720 --> 00:07:58.960 the computer has the private IP address. You 00:07:58.960 --> 00:08:01.759 see? And the Cisco router external 00:08:01.759 --> 00:08:04.560 interface is the public IP address. So we 00:08:04.560 --> 00:08:07.360 want to translate our private IP subnet 00:08:07.360 --> 00:08:10.400 into a public IP address of the router. And for 00:08:10.400 --> 00:08:12.720 that, we need to do the NAT. 00:08:12.720 --> 00:08:14.879 And let's make sure we have the NAT 00:08:14.879 --> 00:08:17.599 translations on the Cisco router. So 00:08:17.599 --> 00:08:20.000 let's go ahead and try to ping-- 00:08:20.000 --> 00:08:22.800 actually, it does not-- 00:08:22.800 --> 00:08:26.160 let's ping and come back here and see 00:08:26.160 --> 00:08:28.702 if we have NAT translations. 00:08:32.719 --> 00:08:35.823 And we have some NAT translations, 00:08:38.959 --> 00:08:41.839 which are not our Google IP addresses. 00:08:41.839 --> 00:08:43.200 So let's clear up: 00:08:43.200 --> 00:08:45.839 clear ip nat translation * 00:08:45.839 --> 00:08:47.839 dynamic I believe here. 00:08:47.839 --> 00:08:50.020 No. Just everything. 00:08:50.660 --> 00:08:53.600 Okay. Show ip nat translations. 00:08:53.600 --> 00:08:55.600 We don't have new translations. That 00:08:55.600 --> 00:08:58.080 means the Cisco router is not translating 00:08:58.080 --> 00:09:02.160 our traffic from the private subnet into the public IP. 00:09:02.160 --> 00:09:04.320 And let's troubleshoot that. We need to 00:09:04.320 --> 00:09:06.480 have the configuration for that, right? So 00:09:06.480 --> 00:09:08.240 let's go ahead and do this: show 00:09:08.240 --> 00:09:10.959 run interface Gigabit3. And does it 00:09:10.959 --> 00:09:14.080 have the NAT configuration on the Gigabit3? 00:09:14.080 --> 00:09:17.200 It does. And it has no IP NAT inside. 00:09:17.200 --> 00:09:18.720 That's great. Now, the 00:09:18.720 --> 00:09:20.720 inside interface is supposed to have IP 00:09:20.720 --> 00:09:23.519 NAT inside. The outside interface, though, is 00:09:23.519 --> 00:09:26.000 supposed to have IP NAT outside. 00:09:26.000 --> 00:09:27.370 Let's check that. 00:09:31.279 --> 00:09:33.360 Oh, the outside interface doesn't have IP NAT 00:09:33.360 --> 00:09:35.839 outside at all. So let's go ahead and 00:09:35.839 --> 00:09:37.279 configure that-- 00:09:37.279 --> 00:09:39.360 IP NAT outside. 00:09:39.360 --> 00:09:40.959 And now 00:09:40.959 --> 00:09:44.560 we've fixed NAT, well, at least partially, on 00:09:44.560 --> 00:09:46.880 the Cisco router. Now we know that the 00:09:46.880 --> 00:09:48.640 inside interface and outside interface-- 00:09:48.640 --> 00:09:51.440 they both have NAT configuration on them. 00:09:51.440 --> 00:09:54.960 Let's go ahead and check IP NAT translation again. 00:09:56.560 --> 00:09:59.519 Alright. We have some traffic here. 00:09:59.519 --> 00:10:02.880 This is our IP address, 00:10:02.880 --> 00:10:04.560 right? Right? 00:10:04.560 --> 00:10:07.680 And this is what we are trying to ping. 00:10:07.680 --> 00:10:09.600 And this is the ICMP protocol, and this 00:10:09.600 --> 00:10:13.040 is the IP address we are translated into. 00:10:13.040 --> 00:10:15.360 So if we check this IP address on the 00:10:15.360 --> 00:10:18.560 interface, that's our IP address. We know 00:10:18.560 --> 00:10:23.440 that the Cisco router translates the packet into a public IP. 00:10:23.440 --> 00:10:25.920 Now what we need to do is--we know 00:10:25.920 --> 00:10:28.079 traffic comes here on the router, it's 00:10:28.079 --> 00:10:30.000 translated, and we need to make sure 00:10:30.000 --> 00:10:32.399 traffic can leave the interface. Now, how 00:10:32.399 --> 00:10:33.760 do we check that? 00:10:33.760 --> 00:10:36.560 Well, usually, if you have the route and there 00:10:36.560 --> 00:10:38.399 is no restriction on the interface, 00:10:38.399 --> 00:10:41.120 traffic leaves the interface. So let's go 00:10:41.120 --> 00:10:45.360 ahead and check that. Do we have any access list? 00:10:45.360 --> 00:10:46.560 We don't. 00:10:46.560 --> 00:10:49.040 But do we want to put the access list to 00:10:49.040 --> 00:10:50.720 make sure traffic leaves the interface? 00:10:50.720 --> 00:10:53.120 You know, you can use, probably, packet 00:10:53.120 --> 00:10:54.959 capture--if you know how to do that. But 00:10:54.959 --> 00:10:57.760 if not, what you can do is do a quick 00:10:57.760 --> 00:10:59.920 configuration--show IP access list 00:10:59.920 --> 00:11:01.600 extended, for example, 00:11:01.600 --> 00:11:04.320 and match our traffic. In our case, 00:11:04.320 --> 00:11:07.839 let's say outside 00:11:07.839 --> 00:11:11.360 ISP is going to be--no--untold. 00:11:11.360 --> 00:11:14.782 Outside outbound-- 00:11:15.120 --> 00:11:17.120 that's the access list name. And permit 00:11:17.120 --> 00:11:19.509 our traffic. What is our traffic? 00:11:19.509 --> 00:11:23.680 IP host 192.168.0.10.1 00:11:23.680 --> 00:11:24.959 into 00:11:24.959 --> 00:11:27.120 Google DNS. 00:11:27.120 --> 00:11:30.560 And we want it to be ICMP--but IP will 00:11:30.560 --> 00:11:34.079 work as well--but let's do ICMP only. 00:11:34.079 --> 00:11:36.160 And now 00:11:36.160 --> 00:11:38.160 we want to assign this access list on 00:11:38.160 --> 00:11:40.880 the public interface. But remember, 00:11:40.880 --> 00:11:42.399 right now the interface doesn't have the 00:11:42.399 --> 00:11:44.160 access, which means once you assign this 00:11:44.160 --> 00:11:46.399 access list, you'll permit only the 00:11:46.399 --> 00:11:48.320 things you have in the access list. And 00:11:48.320 --> 00:11:51.040 in our case, that's only the ICMP packet 00:11:51.040 --> 00:11:52.480 coming from our computer going to 00:11:52.480 --> 00:11:55.120 Google. But for the rest of the users, 00:11:55.120 --> 00:11:57.279 we're going to break the Internet--well, if 00:11:57.279 --> 00:11:59.839 they have it already. So what we want to do 00:11:59.839 --> 00:12:02.480 is add permit any any at the end of 00:12:02.480 --> 00:12:03.964 the access list, 00:12:05.680 --> 00:12:07.839 which means if we assign this access 00:12:07.839 --> 00:12:10.399 list on the outbound interface 00:12:10.399 --> 00:12:12.639 for the outbound traffic, 00:12:12.639 --> 00:12:14.959 we'll get the match here, 00:12:14.959 --> 00:12:17.040 and hit count will increase if the 00:12:17.040 --> 00:12:19.519 packet leaves the router. And for the 00:12:19.519 --> 00:12:21.279 rest of the traffic--to not block them-- 00:12:21.279 --> 00:12:23.440 here's the permit ip any any. So let's 00:12:23.440 --> 00:12:27.519 go ahead and do: interface GigabitEthernet1, 00:12:27.519 --> 00:12:33.280 ip access-group outside-outbound out. 00:12:35.729 --> 00:12:39.360 And now--now you see there's a match 00:12:39.360 --> 00:12:41.360 on IP and ENA-- 00:12:41.360 --> 00:12:43.600 probably some kind of, you know, 00:12:43.600 --> 00:12:44.880 different traffic coming from the 00:12:44.880 --> 00:12:46.399 computer, checking the updates or 00:12:46.399 --> 00:12:47.920 something like that. Our traffic 00:12:47.920 --> 00:12:49.760 doesn't have the match. Let's generate 00:12:49.760 --> 00:12:52.639 the traffic on the computer. 00:12:52.639 --> 00:12:54.639 This is our traffic. 00:12:54.639 --> 00:12:56.142 One, 00:12:57.120 --> 00:12:58.619 two. 00:13:00.880 --> 00:13:01.920 Okay. 00:13:01.920 --> 00:13:04.240 And now let's check if we have the match 00:13:04.240 --> 00:13:06.070 on the access list. 00:13:07.680 --> 00:13:09.095 We don't. 00:13:10.800 --> 00:13:12.560 That's weird. 00:13:12.560 --> 00:13:15.519 Isn't our IP address-- 00:13:15.519 --> 00:13:19.279 oh, oh, I'm sorry. Guys, 00:13:19.279 --> 00:13:22.399 this is ridiculous. Remember, we translated 00:13:22.399 --> 00:13:25.200 traffic into a public IP, so there's no way 00:13:25.200 --> 00:13:28.480 to match the 192.168.1.10 00:13:28.480 --> 00:13:30.480 on the egress interface. So we want 00:13:30.480 --> 00:13:32.639 to do something else. 00:13:32.639 --> 00:13:35.851 Let's go ahead and, you know, fix that. 00:13:38.880 --> 00:13:40.399 We want to remove 00:13:40.399 --> 00:13:43.332 line 10 and add the new--new line: 00:13:44.639 --> 00:13:47.279 ip access-list extended ..., permit icmp host 00:13:47.279 --> 00:13:49.360 [our public IP address] host 8.8.8.8. What’s the public IP address of the 00:13:49.360 --> 00:13:56.800 router? It is 100.100, I believe. This is the IP address. 00:13:56.800 --> 00:14:00.746 And then we are going to ping Google DNS. 00:14:02.000 --> 00:14:04.641 Here's the access list. Now-- 00:14:06.800 --> 00:14:08.890 now we need to 00:14:10.480 --> 00:14:13.440 renumber this because it's incorrect. 00:14:13.440 --> 00:14:15.600 We want to have permit any any at the end. So: 00:14:15.600 --> 00:14:20.079 remove 20, permit ip any any. 00:14:20.959 --> 00:14:23.839 And now it's correct. Okay. Now let's ping and 00:14:23.839 --> 00:14:28.379 see if the packet leaves the router. 00:14:36.560 --> 00:14:39.839 We still don't have the match 00:14:39.839 --> 00:14:42.399 on the interface. Okay. Here's the match. 00:14:42.399 --> 00:14:44.720 I was like, what's going on? 00:14:44.720 --> 00:14:46.560 So we have a match, 00:14:46.560 --> 00:14:49.199 and that confirms two things-- 00:14:49.199 --> 00:14:51.279 not two, actually several: 00:14:51.279 --> 00:14:53.199 We have the working gateway for the 00:14:53.199 --> 00:14:56.800 Cisco router, so traffic can leave the interface. 00:14:56.800 --> 00:14:59.279 Because the match is for the public 00:14:59.279 --> 00:15:01.600 IP address, we also know that the traffic 00:15:01.600 --> 00:15:03.600 is being translated--so even if you 00:15:03.600 --> 00:15:05.600 didn’t check the IP NAT translation, this 00:15:05.600 --> 00:15:07.600 confirms that there was a translation 00:15:07.600 --> 00:15:09.760 and the private IP address is translated into a 00:15:09.760 --> 00:15:13.199 public IP address. And third, the 00:15:13.199 --> 00:15:15.120 packet leaves the router. 00:15:15.120 --> 00:15:16.880 Okay, now 00:15:16.880 --> 00:15:19.199 that's good--it leaves the router. But is it 00:15:19.199 --> 00:15:20.639 coming back? 00:15:20.639 --> 00:15:24.880 No. It might be coming back, or it might 00:15:24.880 --> 00:15:29.040 not be coming back--depends on the problems on the Internet. 00:15:29.040 --> 00:15:30.720 So since this video is about 00:15:30.720 --> 00:15:32.399 troubleshooting, let's make sure the 00:15:32.399 --> 00:15:34.399 traffic is coming back. 00:15:34.399 --> 00:15:36.880 And for that, we again can capture the 00:15:36.880 --> 00:15:38.959 traffic, or we can assign a similar 00:15:38.959 --> 00:15:41.900 access list on the inbound traffic. 00:15:44.959 --> 00:15:49.490 Extended--and that would be outside-inbound. 00:15:50.240 --> 00:15:53.120 And now what do we want to match here? 00:15:53.120 --> 00:15:55.600 We want to match Google DNS as a source 00:15:55.600 --> 00:15:57.199 because, remember, 00:15:57.199 --> 00:15:59.680 the answer is coming from Google now. 00:15:59.680 --> 00:16:01.920 And we want to set the 00:16:01.920 --> 00:16:04.639 destination to be our IP 00:16:04.639 --> 00:16:08.959 address on the public interface--on the outside interface. 00:16:08.959 --> 00:16:10.880 And the protocol is ICMP. 00:16:10.880 --> 00:16:12.320 Also, you can use 00:16:12.320 --> 00:16:14.800 echo-reply if you want-- 00:16:14.800 --> 00:16:18.552 not necessary for this purpose, but you can. 00:16:19.279 --> 00:16:22.399 Like, if you are troubleshooting with 00:16:22.399 --> 00:16:24.800 someone else on the other side and they 00:16:24.800 --> 00:16:26.959 are pinging your IP address as well, you 00:16:26.959 --> 00:16:28.880 might want to add echo-reply to make 00:16:28.880 --> 00:16:31.360 sure this is your reply and not their ping. 00:16:31.360 --> 00:16:33.759 But Google is not going to ping us, so 00:16:33.759 --> 00:16:36.969 it's okay to not put the echo-reply. 00:16:36.969 --> 00:16:42.160 Any ICMP we match here--we know it's our reply from Google DNS. 00:16:42.160 --> 00:16:44.639 And now let's permit ip any any because we 00:16:44.639 --> 00:16:47.580 don't want to block any other traffic on the interface. 00:16:47.580 --> 00:16:48.560 Because right now there's 00:16:48.560 --> 00:16:50.480 no access--again, there's no access 00:16:50.480 --> 00:16:52.720 list--and if we assign the access list, 00:16:52.720 --> 00:16:55.040 we'll block everything that is not 00:16:55.040 --> 00:16:57.279 permitted on the access list. 00:16:57.279 --> 00:16:59.920 So let's go ahead and configure the 00:16:59.920 --> 00:17:04.480 Ethernet--GigabitEthernet1: 00:17:04.480 --> 00:17:08.799 ip access-group [access list name] 00:17:08.799 --> 00:17:09.919 and 00:17:09.919 --> 00:17:12.000 here we use inbound. 00:17:12.000 --> 00:17:13.600 Okay. In. 00:17:13.600 --> 00:17:15.360 Now 00:17:15.360 --> 00:17:18.000 let's check what match we have on the 00:17:18.000 --> 00:17:21.600 interface for inbound traffic. 00:17:21.600 --> 00:17:24.177 Is there any reply from Google? 00:17:30.720 --> 00:17:32.960 And there is a reply. 00:17:32.960 --> 00:17:35.600 So we know now that the traffic not only 00:17:35.600 --> 00:17:37.760 leaves the router, but it's also coming 00:17:37.760 --> 00:17:40.160 back from Google. So the Internet in between-- 00:17:40.160 --> 00:17:43.440 Google DNS and our ISP--is okay. We 00:17:43.440 --> 00:17:45.440 received the traffic, but the 00:17:45.440 --> 00:17:47.760 computer still cannot ping that. 00:17:47.760 --> 00:17:49.200 How come? 00:17:49.200 --> 00:17:51.919 We need the ping on the computer. 00:17:51.919 --> 00:17:54.160 So what else is left? 00:17:54.160 --> 00:17:56.720 When traffic comes back 00:17:56.720 --> 00:17:58.000 to the router-- 00:17:58.000 --> 00:18:00.057 let me try to draw it here. 00:18:07.679 --> 00:18:09.039 When traffic 00:18:09.039 --> 00:18:11.919 leaves, okay, we have this traffic. 00:18:11.919 --> 00:18:14.480 It left the router, 00:18:14.480 --> 00:18:17.840 went to the ISP--not ISP, Google DNS-- 00:18:17.840 --> 00:18:20.000 and came back. And it comes here. We 00:18:20.000 --> 00:18:23.360 have this match on this interface. Now 00:18:23.360 --> 00:18:25.679 what's supposed to happen? Well, NAT will 00:18:25.679 --> 00:18:28.080 catch the traffic, will check the port 00:18:28.080 --> 00:18:30.160 translations, and will figure out--okay, 00:18:30.160 --> 00:18:32.320 that's the returning traffic for this 00:18:32.320 --> 00:18:33.760 ping. The guy's pinging from the 00:18:33.760 --> 00:18:38.400 Windows 7 machine. And now this packet--sorry-- 00:18:38.400 --> 00:18:40.320 now this packet is supposed to leave this 00:18:40.320 --> 00:18:42.400 interface, 00:18:42.400 --> 00:18:46.620 okay, to be delivered to the computer. 00:18:46.620 --> 00:18:49.679 And let's make sure that is happening. 00:18:49.679 --> 00:18:51.200 For that, 00:18:51.200 --> 00:18:53.505 what we are going to do is... 00:18:54.320 --> 00:18:55.766 we are-- 00:18:58.559 --> 00:19:00.400 for that, we are going to check if the 00:19:00.400 --> 00:19:03.200 traffic leaves the Cisco router. 00:19:03.200 --> 00:19:05.600 Again, this is the same as we did on the 00:19:05.600 --> 00:19:07.200 outside interface. You can capture 00:19:07.200 --> 00:19:08.880 traffic if you know how to capture. If 00:19:08.880 --> 00:19:11.360 not, you can assign the interface on the 00:19:11.360 --> 00:19:13.440 address. Let's first make sure there is 00:19:13.440 --> 00:19:15.803 no access list on the router. 00:19:19.039 --> 00:19:21.195 And let's do out. 00:19:22.400 --> 00:19:25.360 There is an access list. Okay. 00:19:25.360 --> 00:19:28.360 Now, let's check what this access list has in it. 00:19:30.799 --> 00:19:33.520 Does it have any match? 00:19:33.520 --> 00:19:36.799 It doesn't. But look at this-- 00:19:36.799 --> 00:19:39.280 this subnet is not what we are expecting 00:19:39.280 --> 00:19:43.280 to have because, remember, our subnet is 00:19:43.280 --> 00:19:46.080 192.168.0.1, 00:19:46.080 --> 00:19:49.200 and here we see 2. So again, the subnet 00:19:49.200 --> 00:19:51.120 on the access list is wrong. 00:19:51.120 --> 00:19:53.084 Let's try and fix that. 00:20:06.559 --> 00:20:08.640 Now it's correct. 00:20:08.640 --> 00:20:12.080 So remember, the traffic leaves the router. 00:20:12.080 --> 00:20:15.520 So the source here is gonna be any--in 00:20:15.520 --> 00:20:17.600 our case, it's Google DNS--and the destination 00:20:17.600 --> 00:20:20.400 is our computer. So the access list order, 00:20:20.400 --> 00:20:23.360 like from any to subnet, is correct. 00:20:23.360 --> 00:20:26.400 And let's see if we can finally ping it. 00:20:29.200 --> 00:20:31.280 We still cannot ping it. 00:20:31.280 --> 00:20:32.320 Wow. 00:20:32.320 --> 00:20:34.400 Let's see what's going on. 00:20:34.400 --> 00:20:36.479 Is it leaving the interface? 00:20:41.440 --> 00:20:44.159 It is--actually, my bad. 00:20:44.159 --> 00:20:46.320 I did 2 again. 00:20:46.799 --> 00:20:49.919 Okay, this is wrong. 00:20:52.799 --> 00:20:55.735 This is what happens when you rush. 00:20:57.360 --> 00:20:59.520 And 00:20:59.520 --> 00:21:02.000 actually--10. 00:21:02.000 --> 00:21:06.799 And then we need to do 1. 00:21:06.799 --> 00:21:09.520 Yeah. Once you remove all lines from 00:21:09.520 --> 00:21:11.120 the access list, that access list doesn't work 00:21:11.120 --> 00:21:13.200 anymore. So there's no deny any any at the 00:21:13.200 --> 00:21:16.080 end if there's no line in the access list. 00:21:16.080 --> 00:21:19.360 So as soon as we removed 10, we started 00:21:19.360 --> 00:21:21.679 pinging. And then we added the 00:21:21.679 --> 00:21:23.760 correct line here, 00:21:23.760 --> 00:21:25.810 and we can still ping it. 00:21:26.960 --> 00:21:29.120 And we have hit counts. 00:21:29.120 --> 00:21:33.840 So this is how you troubleshoot a simple, basic Cisco network. 00:21:33.840 --> 00:21:35.679 Not only Cisco networks--pretty much any 00:21:35.679 --> 00:21:38.000 network. You need to know what you're 00:21:38.000 --> 00:21:41.039 troubleshooting. You need to know how traffic goes, 00:21:41.039 --> 00:21:42.559 what gateway you're supposed to have on 00:21:42.559 --> 00:21:44.400 the computer. You need to know all the 00:21:44.400 --> 00:21:46.559 things to troubleshoot, and 00:21:46.559 --> 00:21:49.039 after several months or years, you'll 00:21:49.039 --> 00:21:50.880 have enough experience to skip some 00:21:50.880 --> 00:21:52.559 of the steps. For example, you might know 00:21:52.559 --> 00:21:54.400 the gateway 00:21:54.400 --> 00:21:56.880 on the router is correct because you 00:21:56.880 --> 00:21:58.880 connected to the router remotely and 00:21:58.880 --> 00:22:01.039 from the Internet, so the router most 00:22:01.039 --> 00:22:03.520 likely has the default gateway. Or you 00:22:03.520 --> 00:22:05.039 might know that 00:22:05.039 --> 00:22:07.520 the access list is not supposed to be checked 00:22:07.520 --> 00:22:09.280 on the inside device because the user told 00:22:09.280 --> 00:22:14.400 you that they can ping the IP address of the gateway. 00:22:14.400 --> 00:22:17.120 So many, many things can be skipped based 00:22:17.120 --> 00:22:19.360 on your experience. But this is from 00:22:19.360 --> 00:22:21.760 starting to the end. You check from the 00:22:21.760 --> 00:22:24.159 beginning where you have the problem. You 00:22:24.159 --> 00:22:26.559 don't check at the end if the Cisco has 00:22:26.559 --> 00:22:28.400 the Internet. First, you make sure you 00:22:28.400 --> 00:22:31.840 have everything you need to leave the 00:22:31.840 --> 00:22:34.640 area--to leave the subnet. Now, let's see 00:22:34.640 --> 00:22:38.880 if we can ping Google--the actual Google website-- 00:22:38.880 --> 00:22:40.960 directly using DNS. 00:22:40.960 --> 00:22:43.360 And we can ping. So if I go 00:22:43.360 --> 00:22:47.760 on a browser here, it'll try to open the Google website. 00:22:47.760 --> 00:22:49.870 I should be able to open it. 00:22:52.000 --> 00:22:53.440 And sure enough, 00:22:53.440 --> 00:22:57.187 I can open it. And it works. Perfect. 00:22:57.840 --> 00:23:00.480 I hope this was useful for you guys, and 00:23:00.480 --> 00:23:02.400 at some point, you'll use it. 00:23:02.400 --> 00:23:03.520 That's it. 00:23:03.520 --> 00:23:05.600 So guys, if you like these videos, please 00:23:05.600 --> 00:23:07.760 like the video and hit the subscribe 00:23:07.760 --> 00:23:09.840 button if you want to see more videos 00:23:09.840 --> 00:23:12.320 like this. Also, I'm looking for ideas on 00:23:12.320 --> 00:23:14.080 what kind of videos to create. So if you 00:23:14.080 --> 00:23:16.000 have any idea and you're looking for 00:23:16.000 --> 00:23:18.559 some kind of configuration on the Cisco 00:23:18.559 --> 00:23:21.360 or similar network, you can put in the 00:23:21.360 --> 00:23:23.120 comments what you want to see in the 00:23:23.120 --> 00:23:26.677 next video. Thanks for watching, and have a good one.