1
00:00:07,980 --> 00:00:13,800
This is one of multiple videos discussing net or network address translation.

2
00:00:14,070 --> 00:00:15,750
This is a troubleshooting video.

3
00:00:15,840 --> 00:00:22,980
We've been told that some hosts in the internal network are not able to access Google.com.

4
00:00:23,310 --> 00:00:28,830
In this example, the company is using Google's DNS server for name resolution.

5
00:00:29,100 --> 00:00:36,090
The server's IP address is 8.8.8.8, which is found on the Internet in this topology.

6
00:00:36,420 --> 00:00:40,170
I'm using Genesis three to simulate this environment.

7
00:00:40,800 --> 00:00:45,210
Rather two is the broader that is configured for network address translation.

8
00:00:45,450 --> 00:00:52,200
We've got three routers acting as hosts in our internal network and one router acting as an Internet

9
00:00:52,200 --> 00:00:52,890
server.

10
00:00:53,190 --> 00:00:55,590
So let's verify what we've been told.

11
00:00:56,350 --> 00:00:57,310
On Rata one.

12
00:00:59,250 --> 00:01:01,340
Which is acting as the piece on the top left.

13
00:01:01,350 --> 00:01:02,640
Can we ping?

14
00:01:02,670 --> 00:01:04,500
8.8.82.8?

15
00:01:04,530 --> 00:01:05,670
Yes, we can.

16
00:01:06,520 --> 00:01:11,620
Now what about rather five acting as our third PC?

17
00:01:12,910 --> 00:01:14,890
Can that ping google.

18
00:01:15,460 --> 00:01:17,140
Doesn't look like it can.

19
00:01:18,070 --> 00:01:20,050
Debug ip packet.

20
00:01:22,930 --> 00:01:25,240
It's definitely sending the packet.

21
00:01:26,510 --> 00:01:28,340
So it's sending it somewhere.

22
00:01:28,370 --> 00:01:29,930
Show IP route.

23
00:01:30,200 --> 00:01:35,510
This router has a default gateway to tend .1232254.

24
00:01:35,690 --> 00:01:37,730
It's going to send it to router two

25
00:01:40,220 --> 00:01:41,570
to speed up.

26
00:01:43,140 --> 00:01:43,650
Trace.

27
00:01:43,650 --> 00:01:45,030
Right, I'll do that.

28
00:01:46,990 --> 00:01:49,030
And then let's see how far it gets.

29
00:01:50,550 --> 00:01:53,400
On all that first try again.

30
00:01:53,730 --> 00:01:59,610
So it gets to 10.1, two, 3.2, five, four, and then it seems to die.

31
00:01:59,970 --> 00:02:01,800
So it's sending the packet.

32
00:02:03,490 --> 00:02:05,500
But not getting a response.

33
00:02:07,310 --> 00:02:07,640
Okay.

34
00:02:07,640 --> 00:02:13,970
So it looks like there's a problem with Nat on router to the Nat Rada.

35
00:02:14,510 --> 00:02:18,800
So in order to let's have a look, the first thing we'll do on router two is debug IP.

36
00:02:18,800 --> 00:02:21,950
Nat, be careful doing these kind of bugs.

37
00:02:21,950 --> 00:02:23,180
In the real world.

38
00:02:23,300 --> 00:02:28,670
You may get a lot of traffic in a production network and overwhelm the rudder.

39
00:02:30,990 --> 00:02:33,120
But because this is a lab, we can do that.

40
00:02:33,120 --> 00:02:39,990
So I'll send one ping and see if anything happens with the net translations.

41
00:02:41,320 --> 00:02:43,970
Doesn't look like Nat's doing anything.

42
00:02:45,800 --> 00:02:47,330
If rather one.

43
00:02:48,640 --> 00:02:49,990
Sends a packet.

44
00:02:51,950 --> 00:02:54,800
Notice rather one gets translated.

45
00:02:55,870 --> 00:02:58,270
So rather one is the PC at the top.

46
00:02:58,540 --> 00:03:02,050
When it sends a ping, traffic is netted.

47
00:03:02,050 --> 00:03:05,980
So there the ping failed, but here we got a reply.

48
00:03:05,980 --> 00:03:07,230
That's because of ARP.

49
00:03:08,220 --> 00:03:12,960
So notice there's the source traffic being knackered and he has a reply.

50
00:03:13,380 --> 00:03:16,320
But if we send traffic from.

51
00:03:17,590 --> 00:03:20,920
PC five acting as our third host.

52
00:03:21,370 --> 00:03:22,690
In other words, this host.

53
00:03:24,870 --> 00:03:27,270
It looks like gnat doesn't take place.

54
00:03:27,270 --> 00:03:29,640
In other words, it's not translating the address.

55
00:03:30,060 --> 00:03:36,870
Show IP Nat translation these translations are all relating to host one.

56
00:03:37,020 --> 00:03:42,270
They are dynamic nat translations, so they will expire after a period of time.

57
00:03:42,390 --> 00:03:50,250
So we've already got one that expires, but there's no entries for root of five acting as our third

58
00:03:50,250 --> 00:03:51,090
PC.

59
00:03:52,750 --> 00:03:55,390
And yeah, you can see all the translations have expired.

60
00:03:55,930 --> 00:03:59,710
So let's have a look at our net configuration.

61
00:04:00,430 --> 00:04:07,480
For this host to be translated, this interface needs to be configured as an inside interface, and

62
00:04:07,480 --> 00:04:10,630
this interface needs to be configured as an outside interface.

63
00:04:10,660 --> 00:04:14,680
Now we've already got some hosts working, so that makes the job easier.

64
00:04:15,420 --> 00:04:18,209
So we can scroll through the configuration.

65
00:04:19,720 --> 00:04:21,720
Here's gigabit zero zero.

66
00:04:21,850 --> 00:04:24,680
So that's the host of the top here, IP.

67
00:04:24,710 --> 00:04:26,800
And inside, that looks good.

68
00:04:28,450 --> 00:04:33,340
Gigabit zero one is the outside interface and it's configured for IP net outside.

69
00:04:33,490 --> 00:04:34,750
That's good.

70
00:04:35,950 --> 00:04:37,420
Gigabit zero two.

71
00:04:37,450 --> 00:04:39,220
This device is also working.

72
00:04:39,220 --> 00:04:41,140
Configured for IP Nat inside.

73
00:04:41,800 --> 00:04:49,120
This is the interface where we have the problem, but it's also configured for IP Nat inside so it doesn't

74
00:04:49,120 --> 00:04:50,770
look like that's the problem.

75
00:04:52,310 --> 00:04:59,600
Scrolling down we see the net statement IP Nat inside source list one.

76
00:04:59,990 --> 00:05:05,300
So this is using access list one and we are overloading gigabit zero one.

77
00:05:05,390 --> 00:05:08,000
Now, can you see the problem?

78
00:05:08,390 --> 00:05:11,360
What's the problem in this output?

79
00:05:12,360 --> 00:05:20,940
Notice it's referencing access list one access list one has a permit statement of 10.1 and 1.0 slash

80
00:05:20,940 --> 00:05:26,420
24, ten 1 to 0, and then a ten 100.

81
00:05:26,730 --> 00:05:29,790
This is an inverse mask because it's an access list.

82
00:05:30,580 --> 00:05:35,110
A zero means match, a one in binary means don't match.

83
00:05:35,560 --> 00:05:40,360
So here we have a problem because the zero is matching ten.

84
00:05:41,200 --> 00:05:46,180
This era is matching one and this zero is matching zero.

85
00:05:46,600 --> 00:05:51,220
Traffic is coming from ten 1.3.3.

86
00:05:51,310 --> 00:05:54,340
So it's not being matched by the success list.

87
00:05:55,000 --> 00:06:01,270
So we could remove the entire access list and re-edit it or delete that individual line.

88
00:06:01,660 --> 00:06:08,230
But I'm simply going to say permit ten 130 with the correct mosque.

89
00:06:08,230 --> 00:06:11,440
So we've got an extra entry in our access list.

90
00:06:14,700 --> 00:06:21,750
So show access list one year or our access list entries on write a five will do a ping.

91
00:06:21,750 --> 00:06:23,730
Notice it now succeeded.

92
00:06:24,460 --> 00:06:29,590
That host was netted because of this entry.

93
00:06:30,460 --> 00:06:32,170
Notice we got one match.

94
00:06:32,770 --> 00:06:33,940
Do that again.

95
00:06:35,890 --> 00:06:37,060
Two matches.

96
00:06:37,710 --> 00:06:42,570
And notice here we see the actual net translation taking place.

97
00:06:42,930 --> 00:06:45,130
So be careful with your access lists.

98
00:06:45,150 --> 00:06:48,630
This was an example of a dynamic net entry.

99
00:06:50,970 --> 00:06:53,070
Referencing Access List one.

100
00:06:56,950 --> 00:07:02,830
So we had a problem in our access list where this entry was incorrectly configured.

101
00:07:02,980 --> 00:07:04,730
Notice the sequence numbers.

102
00:07:04,750 --> 00:07:13,330
So what we could do is say IP access list standard one No.

103
00:07:13,660 --> 00:07:14,440
30.

104
00:07:15,750 --> 00:07:20,010
Show IP access list.

105
00:07:20,370 --> 00:07:22,440
So line 30 has been removed.

106
00:07:22,800 --> 00:07:26,700
And we've only got the correct entries in our access list.

107
00:07:27,880 --> 00:07:29,260
So the ping works.

108
00:07:29,260 --> 00:07:30,550
There was the net.

109
00:07:31,210 --> 00:07:34,450
And we've got another match on the access list.

110
00:07:34,810 --> 00:07:36,670
So we've now solved the problem.

111
00:07:36,790 --> 00:07:39,610
These hosts can ping the Internet.

112
00:07:40,270 --> 00:07:41,690
Let's verify that.

113
00:07:41,690 --> 00:07:42,130
So right.

114
00:07:42,130 --> 00:07:51,370
A one can ping Google root of four, which is this PC can ping Google.

115
00:07:52,310 --> 00:07:55,250
And rather five can also ping Google.

116
00:07:56,160 --> 00:07:58,410
So we've successfully solved the problem.

117
00:07:58,410 --> 00:07:59,580
We verified it.

118
00:08:00,030 --> 00:08:06,000
Don't forget, as always, in the real world or in your lab to save your configuration.

119
00:08:08,760 --> 00:08:11,580
And don't forget to turn off your bugs.

120
00:08:11,610 --> 00:08:16,050
They slow riders down typically, and increase CPU utilization.

121
00:08:16,080 --> 00:08:18,390
It's not a good idea to keep them running.

122
00:08:18,600 --> 00:08:22,380
So in this lab we solved a network address translation issue.

123
00:08:22,740 --> 00:08:27,690
If you enjoyed this video, please like it and please subscribe to my YouTube channel.

124
00:08:27,780 --> 00:08:29,760
I wish you all the very best.