1
00:00:08,130 --> 00:00:14,160
This is one of the multiple videos discussing that network address translation.

2
00:00:14,240 --> 00:00:15,990
This is a troubleshooting video.

3
00:00:16,130 --> 00:00:23,720
We've been told that some hosts in the internal network are not able to access Google dot com in this

4
00:00:23,720 --> 00:00:29,040
example the companies using Google's DNS server for name resolution.

5
00:00:29,290 --> 00:00:36,430
The server's IP address is 8 8 8 8 8 which is found on the Internet in this typology.

6
00:00:36,620 --> 00:00:40,920
I'm using Janus three to simulate to this environment.

7
00:00:41,000 --> 00:00:45,710
Ratatouille is the broader that is configured for Network Address Translation.

8
00:00:45,710 --> 00:00:52,250
We've got three routers acting as hosts in our internal network and one Rodda acting as an Internet

9
00:00:52,250 --> 00:00:53,100
server.

10
00:00:53,390 --> 00:00:55,750
So let's verify what we've been told.

11
00:00:56,420 --> 00:01:01,440
One brought a one which is acting as the PC on the top left.

12
00:01:01,450 --> 00:01:04,620
Ken we paying 8 8 8 8.

13
00:01:04,690 --> 00:01:06,740
Yes we can.

14
00:01:06,770 --> 00:01:14,330
Now what about a five acting as our third PC can that ping.

15
00:01:14,490 --> 00:01:23,010
Google doesn't look like it can debug IP packet.

16
00:01:23,120 --> 00:01:26,500
It's definitely sending the packet.

17
00:01:26,730 --> 00:01:28,490
So it's sending it somewhere.

18
00:01:28,560 --> 00:01:35,640
Sure IP route this router has a default gateway to 10 1 to 3 to 5 4.

19
00:01:35,820 --> 00:01:37,560
It's going to send it to Rodda to

20
00:01:40,290 --> 00:01:51,950
to speed up trace Rondell to you that and then let's see how far it gets on all that.

21
00:01:51,960 --> 00:01:54,000
First try again.

22
00:01:54,000 --> 00:01:55,190
So it gets to 10.

23
00:01:55,260 --> 00:01:57,580
1 2 3 2 5 4.

24
00:01:57,840 --> 00:01:59,800
And then it seems to die.

25
00:02:00,180 --> 00:02:05,700
So it's sending the packet but not getting a response.

26
00:02:07,440 --> 00:02:15,930
OK so it looks like there's a problem with Nat on router to the NAT router some router ready to let's

27
00:02:15,930 --> 00:02:16,610
have a look.

28
00:02:16,620 --> 00:02:22,590
The first thing we'll do in order to debug IP not be careful doing these kind of debugs in the real

29
00:02:22,590 --> 00:02:23,610
world.

30
00:02:23,610 --> 00:02:32,530
You may get a lot of traffic in a production network overwhelm the Rodda but because as a lab we can

31
00:02:32,530 --> 00:02:33,220
do that.

32
00:02:33,250 --> 00:02:40,190
So I'll send one ping and see if anything happens with the net translations.

33
00:02:41,130 --> 00:02:54,670
It doesn't look like that's doing anything if we're a one sends a packet notice one gets translated

34
00:02:55,820 --> 00:02:58,510
it's Rato one is the PC at the top.

35
00:02:58,820 --> 00:03:04,710
When it sends a ping traffic is that it's there the pings failed.

36
00:03:04,850 --> 00:03:11,690
But here we got a reply that's because of VOP So notice there's the source traffic being netted and

37
00:03:11,690 --> 00:03:13,160
she has the reply.

38
00:03:13,570 --> 00:03:21,210
But if we sent traffic from PC five acting as our third host.

39
00:03:21,470 --> 00:03:27,350
In other words this host it looks like that doesn't take place.

40
00:03:27,350 --> 00:03:32,550
In other words it's not translating the address show IP not translation.

41
00:03:32,930 --> 00:03:37,230
These translations are all relating to host one.

42
00:03:37,310 --> 00:03:42,650
They are dynamic not translations so they will expire after a period of time.

43
00:03:42,680 --> 00:03:52,680
So we've already got one that expires but there's no entries for rather five acting as are so PC.

44
00:03:52,850 --> 00:03:55,690
And here you can see all the translations of expired.

45
00:03:56,150 --> 00:03:59,780
So let's have a look at our next configuration.

46
00:04:00,620 --> 00:04:07,770
For this post to be translated this interface needs to be configured as an insider to face and this

47
00:04:07,770 --> 00:04:10,980
interface needs to be configured as an outside interface.

48
00:04:10,980 --> 00:04:14,760
Now we've already got some hosts working so that makes the job easier.

49
00:04:15,680 --> 00:04:21,900
So we can scroll through the configuration his gigabit 00.

50
00:04:22,050 --> 00:04:24,240
So that's the host at the top here.

51
00:04:24,540 --> 00:04:26,920
My peanut inside that looks good.

52
00:04:28,550 --> 00:04:33,390
Gigabit 0 1 is the outside interface and it's configured for IP not.

53
00:04:33,770 --> 00:04:34,870
That's good.

54
00:04:36,060 --> 00:04:41,990
Gigabit 0 to the device is also working configured for IP not inside.

55
00:04:42,000 --> 00:04:48,340
This is the interface where we have the problem but it's also configured for IP inside.

56
00:04:48,510 --> 00:04:50,840
So it doesn't look like that's the problem.

57
00:04:52,500 --> 00:04:58,610
Scrolling down we see the next statement IP not inside source.

58
00:04:58,620 --> 00:05:00,210
List one.

59
00:05:00,210 --> 00:05:05,770
So this is using access list 1 and we are overloading gigabit 0 1.

60
00:05:05,820 --> 00:05:08,290
Can you see the problem.

61
00:05:08,610 --> 00:05:12,400
What's the problem in the south part.

62
00:05:12,450 --> 00:05:12,790
It is.

63
00:05:12,820 --> 00:05:21,580
It's referencing access list one access list one has a permit statement of 10 that wanted 1.0 less 24

64
00:05:22,060 --> 00:05:26,830
10 1 2 0 and then a 10 1 0 0.

65
00:05:26,950 --> 00:05:29,930
This is an inverse mosque because it's an access list.

66
00:05:30,680 --> 00:05:35,780
A zero means match a one in binary means don't match.

67
00:05:35,780 --> 00:05:45,150
So here we have a problem because the series matching 10 the series matching one and this zero is matching

68
00:05:45,360 --> 00:05:51,600
zero traffic is coming from 10 dot one dots three dots three.

69
00:05:51,600 --> 00:05:55,230
So it's not being matched by this access list.

70
00:05:55,230 --> 00:06:01,670
So we could remove the entire access list and re-edit or delete that individual line.

71
00:06:01,880 --> 00:06:08,310
But I'm simply going to say permit 10 1 3 0 with the correct mosque.

72
00:06:08,310 --> 00:06:11,370
So we've got an extra entry in our access list

73
00:06:14,870 --> 00:06:16,800
so show access list 1.

74
00:06:16,940 --> 00:06:21,430
Here are access list entries on route 5 will do.

75
00:06:21,430 --> 00:06:23,750
Ping notices now succeeded.

76
00:06:24,590 --> 00:06:34,070
That hosta was enacted because of the entry notice we got one match do that again.

77
00:06:36,050 --> 00:06:43,060
Two matches and notice here we see the actual Nat translation taking place.

78
00:06:43,090 --> 00:06:45,370
So be careful with your access lists.

79
00:06:45,370 --> 00:06:48,490
This was an example of a done Nemec not entry

80
00:06:51,170 --> 00:06:56,960
referencing access list one.

81
00:06:57,110 --> 00:07:02,930
So we had a problem in our access list where this entry was incorrectly configured.

82
00:07:03,230 --> 00:07:05,000
Notice the sequence numbers.

83
00:07:05,030 --> 00:07:08,910
So what we could do is say IP access list.

84
00:07:09,650 --> 00:07:12,040
Standard one.

85
00:07:12,410 --> 00:07:13,590
No.

86
00:07:13,820 --> 00:07:20,350
30 show IP access list.

87
00:07:20,620 --> 00:07:27,980
So line 30 has been removed and we've only got the correct entries in our access list.

88
00:07:28,050 --> 00:07:34,600
So the pinger works they was the net and we've got another match on the access list.

89
00:07:35,040 --> 00:07:36,910
So we've now solved the problem.

90
00:07:36,990 --> 00:07:40,470
These hosts can ping the Internet.

91
00:07:40,470 --> 00:07:53,370
Let's verify that serrata one can ping Google Rodda for which is this PC can ping Google and run a five

92
00:07:54,030 --> 00:07:56,340
can also Google.

93
00:07:56,390 --> 00:07:58,500
So we've successfully solved the problem.

94
00:07:58,520 --> 00:08:00,170
We verified it.

95
00:08:00,170 --> 00:08:05,870
Don't forget as always in the real world or when you have to save your configuration

96
00:08:09,000 --> 00:08:11,820
and don't forget to turn off your debugs.

97
00:08:11,820 --> 00:08:16,280
They slow Rajahs down typically an increase C.P. utilization.

98
00:08:16,290 --> 00:08:18,800
It's not a good idea to keep them running.

99
00:08:18,810 --> 00:08:22,790
So in this lab we solved a network address translation issue.

100
00:08:22,920 --> 00:08:27,740
If you enjoyed this video please like it and please subscribe to my YouTube channel.

101
00:08:27,960 --> 00:08:30,810
I wish you all the very best.