CCNA – NAT & PAT Questions
Here you will find answers to NAT & PAT Questions
Note: If you are not sure about NAT & PAT, please read my NAT tutorial.
Question 1
Refer to the exhibit. What does the (*) represent in the output?
| 02:16:29: NAT: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51607] 02:16:29: NAT: s=1.2.4.1, d=1.2.4.2->10.10.0.2 [55227] 62:16:29: NAT*: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51608] 02:16:29: NAT*: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51609] |
A. Packet is destined for a local interface to the router.
B. Packet was translated, but no response was received from the distant device.
C. Packet was not translated, because no additional ports are available.
D. Packet was translated and fast switched to the destination.
Answer: D
Explanation
The above output is from the “debug ip nat” command. In this output, the first two lines show the Domain Name System (DNS) request and reply debugging output.
In the first line (DNS request):
s=10.10.0.2->1.2.4.2: source of the IP address (10.10.0.2) and how it is being translated (to 1.2.4.2)
d=1.2.4.1: destination address of the packet
[51607]: the IP identification number of the packet
In the second line (DNS reply):
s=1.2.4.1: source of the reply
d=1.2.4.2->10.10.0.2: how the destination is being translated
The remaining lines show debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. All Telnet packets, except for the first packet, were translated in the fast path, as indicated by the asterisk (*).
Note: If the connection is already established, the security appliance does not need to re-check packets and the packets are sent to the Fast Path.
(Reference: http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_i2gt.html)
Question 2
Refer to the exhibit. What command sequence will enable PAT from the inside to outside network?
| ip nat pool isp-net 1.2.4.10 1.2.4.240 netmask 255.255.255.0 ! interface ethernet 1 description ISP Connection ip address 1.2.4.2 255.255.255.0 ip nat outside ! interface ethernet 0 description Ethernet to Firewall eth0 ip address 10.10.0.1 255.255.255.0 ip nat inside ! access-list 1 permit 10.0.0.0 0.255.255.255 |
A. (config)# ip nat pool isp-net 1.2.4.2 netmask 255.255.255.0 overload
B. (config-if)# ip nat outside overload
C. (config)# ip nat inside source list 1 interface ethernet1 overload
D. (config-if)# ip nat inside overload
Answer: C
Explanation
The command “ip nat inside source list 1 interface ethernet1 overload” means:
+ “ip nat”: use NAT
+ “inside”: NAT from inside to outside
+ “source list 1″: the source addresses can be found in access list 1
+ “interface ethernet1″: NAT out of this interface
+ “overload”: use NAT overload (PAT)
Question 3
Refer to the exhibit. A junior network engineer has prepared the exhibited configuration file. What two statements are true of the planned configuration for interface fa0/1? (Choose two)
A. The two FastEthernet interfaces will require NAT configured on two outside serial interfaces.
B. Address translation on fa0/1 is not required for DMZ Devices to access the Internet.
C. The fa0/1 IP address overlaps with the space used by s0/0.
D. The fa0/1 IP address is invalid for the IP subnet on which it resides.
E. Internet hosts may not initiate connections to DMZ Devices through the configuration that is shown.
Answer: B E
Explanation
Both inside FastEthernet interfaces can use only one outside interface to go to the Internet -> A is not correct.
DMZ devices use IP addresses in the range of 128.107.1.128/25 which are public IP addresses so they don’t need address translation to access the Internet -> B is correct.
The fa0/1 interface’s IP address is 128.107.1.254 255.255.255.128 (range from 128.107.1.128 to 128.107.1.255) while the IP address of s0/0 is 128.107.1.1 255.255.255.252 (ranges from 128.107.1.0 to 128.107.1.4) so they are not overlapped with each other -> C is not correct.
DMZ devices are in the range of 128.107.1.128/25 (from 128.107.1.128 to 128.107.1.255) and fa0/1 IP address (128.107.1.254) is a valid IP address on this subnet -> D is not correct.
DMZ devices (and other internal hosts) are using dynamic PAT, which is a type of dynamic NAT. With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. In other words, if DMZ devices communicate with outside hosts first, dynamic translation works fine. But if outside hosts communicate with DMZ devices first, no translation is created in NAT table and the packets will be dropped. This is the reason why “Internet hosts may not initiate connections to DMZ Devices through the configuration that is shown” -> E is correct.
Question 4
Refer to the exhibit. What statement is true of the configuration for this network?
A. The configuration that is shown provides inadequate outside address space for translation of the number of inside addresses that are supported.
B. Because of the addressing on interface FastEthernet0/1, the Serial0/0 interface address will not support the NAT configuration as shown.
C. The number 1 referred to in the ip nat inside source command references access-list number 1.
D. ExternalRouter must be configured with static routers to network 172.16.2.0/24
Answer: C
Explanation
The “list 1″ refers to the access-list number 1.
Question 5
What are two benefits of using NAT? (choose two)
A. NAT protects network security because private networks are not advertised.
B. NAT accelerates the routing process because no modifications are made on the packets.
C. Dynamic NAT facilitates connections from the outside of the network.
D. NAT facilitates end-to-end communication when IPsec is enable.
E. NAT eliminates the need to re-address all host that require external access.
F. NAT conserves addresses through host MAC-level multiplexing.
Answer: A E
Explanation
By not reveal the internal Ip addresses, NAT adds some security to the inside network -> A is correct.
NAT has to modify the source IP addresses in the packets -> B is not correct.
Connection from the outside of the network through a “NAT” network is more difficult than a more network because IP addresses of inside hosts are hidden -> C is not correct.
In order for IPsec to work with NAT we need to allow additional protocols, including Internet Key Exchange (IKE), Encapsulating Security Payload (ESP) and Authentication Header (AH) -> more complex -> D is not correct.
By allocating specific public IP addresses to inside hosts, NAT eliminates the need to re-address the inside hosts -> E is correct.
NAT does conserve addresses but not through host MAC-level multiplexing. It conserves addresses by allowing many private IP addresses to use the same public IP address to go to the Internet -> F is not correct.
Question 6
Which two statements about static NAT translations are true? (choose two)
A. They are always present in the NAT table.
B. They allow connection to be initiated from the outside.
C. They can be configured with access lists, to allow two or more connections to be initiated from the outside.
D. They require no inside or outside interface markings because addresses are statically defined.
Answer: A B
Explanation
With static NAT, translations exist in the NAT translation table as soon as you configure static NAT command(s), and they remain in the translation table until you delete the static NAT command(s).
With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table.
-> A is correct.
Because static NAT translations are always present in the NAT table so outside hosts can initiate the connection without being dropped -> B is correct.
Static translations can not be configured with access lists. To configure static NAT, we only need to specify source IP, NAT IP, inside interface & outside interface.
-> C is not correct.
We have to specify which is the inside and outside interface -> D is not correct.
For your information, below is an example of configuring static NAT:
R0(config)#int f0/0
R0(config-if)#ip nat inside
R0(config-if)#int f0/1
R0(config-if)#ip nat outside
R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2
(Reference: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml)
Question 7
Refer to the exhibit. Which statement about packet addresses are true during data exchange when host A makes Web-request to WWW Server, considering that there is NAT overload scheme for data passing from Corp LAN hosts to outside networks in use?
A. Source 234.15.27.226:3015 and destination 234.15.27.225:80
B. Source 200.15.239.128:3015 and destination 192.168.10.34:80
C. Destination 192.168.10.11:3015 and source 200.15.239.128:80
D. Source 192.168.10.34:80 and destination 192.168.10.254:3015
E. Destination 234.15.27.225:3015 and source 200.15.239.128:80
Answer: E
Explanation
From A to Corp router:
+ Source: 192.168.10.34: 3015 & Destination: 200.15.239.128:80
From Corp to WWW Server:
+ Source: 234.15.27.225:3015 & Destination: 200.15.239.128:80
From WWW Server to Corp:
+ Source: 200.15.239.128:80 & Destination: 234.15.27.225:3015
From Corp to Host A:
+ Source: 200.15.239.128:80 & Destination: 192.168.10.34:3015
So the only correct answer is E (from WWW server to Corp)
@ 9tut prefix length 19 question on nat.does not understand it.can you explain please
Hi 9tut… Hi Guys! Can you please help me… I will take exam this Feb. Please send me latest dump so that I will have an idea for the exam.. rico.blake@ymail.com
Thanks Guys!
I passed exam on 1st February of 2012. and I just want to thank all of you who contributed on site (especially 9tut) for doing this excellent job! I couldn’t have done it without you all and I am extremly grateful !!
95% of all questions came from this site and “Cisco.Acme.640-802.v2011-07-09.by.Collisio.486q” vce.
VTP, ACL2 and EIGRP 122 were simulations with different numbers of course, there was one question about routing protocols and their metric, one was about ARP protocol and “sh ip arp” command (understand local interfaces of router and IP-MAC pairs on networking devices).
There was one question regarding “ip nat inside” command on interface of router-on-a-stick configuration. Should command be set on interface or on a subinterfaces for specific VLANs.
I do not know correct answer but believe it is set on interface of a router. Please correct me if I am wrong..
Thank you again and good luck to you all !!
hi boja, the answer is correct its set on the interface, as ip nat inside/outside is to label the interface, as interface should be acting as what…
anywaz congratz!
Hi, can anybody pls explain me about this ” prefix-length”
ip nat pool mynats 1.1.128.1 1.1.135.254 prefix-length 19
@ mano
u can use
ip nat pool mynats 1.1.128.1 1.1.135.254 prefix-length 19
**prefix-length = / **
ip nat pool mynats 1.1.128.1 1.1.135.254 /19
or
ip nat pool mynats 1.1.128.1 1.1.135.254 netmask 255.255.224.0
Thank You Ahmad,
I passed CCNA today.
Thank you again.
Can Someone please send me the latest dump, i am going to take the exam next week.
Romeo_bahrain@hotmail.com
thanks
my exam on monday , please explain Q3
If out side hosts will try to communicate to DMZ , there is no NAT in the this direction. also DMZ are public ip addresses , why the packets will be dropped.
@ Irfan – I think it is due to the dynamic NAT. When using dynamic NAT, there will be no translation in NAT table.
We need to have a static mapping (outside) for every DMZ/internal serval we want to have reachable from the internet.
Please correct, if its wrong!
@9tut
regarding Q7
From Corp to Host A:
+ Source: 192.168.10.254:80 & Destination: 192.168.10.34:3015
shouldn’t it be:
Source: 200.15.239.128:80 & Destination: 192.168.10.34:3015
I don’t understand why do we change source IP address?
@9tut @Xallax: Regarding Q.3: DMZ and internet both have publice address scheme..so how the inernet user may not initiatine the connection to DMZ??
can you explan please?? I think that there is a commmd ip nat inside on DMZ interface?? but that could be the problem or not??
@arpit
there is no “permit any 128.107.1.128 0.0.0127″
even if they are dmz devices they still have to send and receive through the router
In thq Question no : 1 How they are saying first two lines show the Domain Name System (DNS) request ; If so how need to identify
nice explanation for Q. no. 7.
Thankyou 9tut.
http://www.examcollection.com/cisco/Cisco.Acme.640-802.v2012-02-07.by.Arpit.486q.vce.file.html
Most Valid Dump.. All most 99% answers are correct.
If you’ve failed and retook the ccna test, What are the questions geared on the 2nd time around? ANYONE KNOW?
for question 2, is it possible to overload an “interface” when we are using PAT with pool of adresses ?
I thought “ip nat inside source list 1 interface ethernet1 overload” is only used when we want to overload one public IP with multiple private ones – so the anwser would be “ip nat inside source list 1 pool isp-net overload”
By Refer to the exhibit ,
02:16:29: NAT: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51607]
02:16:29: NAT: s=1.2.4.1, d=1.2.4.2->10.10.0.2 [55227]
62:16:29: NAT*: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51608]
02:16:29: NAT*: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51609]
How they are saying this as a Domain Name System (DNS) request and reply debugging output, Please clarify me
By Refer to the exhibit ,
02:16:29: NAT: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51607]
02:16:29: NAT: s=1.2.4.1, d=1.2.4.2->10.10.0.2 [55227]
62:16:29: NAT*: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51608]
02:16:29: NAT*: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51609]
@9tut, How they are saying this as a Domain Name System (DNS) request and reply debugging output, Please clarify me
@Ramanan
i think 9tut is wrong in that explanation coz they saw that statement on cisco.com and copy paste it directly.for q 1 there is no DNS request and reply and in cisco.com’s example there was a DNS request and reply.
please 9tut correct the statement since there is no DNS request and reply
@9Tut
i think u are also wrong in you explannation for Q7
“From Corp to Host A:
+ Source: 192.168.10.254:80 & Destination: 192.168.10.34:3015″.the outside local and outside global address is the same for that instance hence the address from corp to host a should be :Source:200.15.239.128:80 & Destination: 192.168.10.34:3015
@boja and CCNA
for the ip nat inside labeling for specific it should be configured on the subinterface not on the interface.checked it on PT.
@annyaddis
Q1:
i don’t see any website names in there so there’s no need for DNS.
the asterisk means the router already knew what to do with the packet and it sent it out on its way as fast as possible (D is correct)
Q7
we are told that NAT is in use here. NAT makes the router open a port that will represent the LAN device to the outside world.
packets with private IP addresses as source/destination are filtered out instantly on the internet.
the very first ISP router that routes them (the ISP router in this case) will drop 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16 and anything beyond 224.0.0.0/8 that comes from the distribution layer (to avoid any routing protocol issues).
please take into consideration that the flow can be reversed, from the WWW server back to the host on that LAN that benefits from NAT. answer E is correct.
cheers
i agree the answers for both Qs are correct but the explanations: “In this output, the first two lines show the Domain Name System (DNS) request and reply debugging output.” and “From Corp to Host A: + Source: 192.168.10.254:80 & Destination: 192.168.10.34:3015″ are no correct.
Please watch the above explanations once again.
@annyaddis
ok, i get it that Q1′s explanation is erroneous. what’s wrong with Q7′s?
sorry for arguing with you, i wanna understand too :)
hello
Can you please explain why they choose this:” prefix-length 19” I know that /19 = 255.255.224.0
From what ip address they use to get that mask
ip nat pool mynats 1.1.128.1 1.1.135.254 prefix-length 19
the ip address are
inside global inside local
1.1.128.1 10.18.14.90
1.1.129.107 10.18.14.91
…. ……
1.1.135.174 10.20.122.240
I was given a topology with router connected to 3 LANs on its 3 interfaces and the 4th interface was connected to ISP. The question was that the ‘ip nat inside’ command should be given to how many interfaces of router?
The options were A)1 B)2 C)3 or D)4
I have the same doubts of the @cp.
someone explain?
Q7 is backwards lol
I think the second line of the question 1 Nat output should be
02:16:29: NAT: s=1.2.4.1, d=10.10.0.2->1.2.4.2 [55227]
Not
02:16:29: NAT: s=1.2.4.1, d=1.2.4.2->10.10.0.2 [55227]
Because
s=1.2.4.1: source of the reply
d=10.10.0.2->1.2.4.2: shows how the destination is being translated
Thank you and hope I am right?
@Mohit
I believe the answer is 4 if it has one int configured with 2 subinterfaces otherwise it’s 3
@CP yeh I know… I’m confused on that also
thanks — this is more detailed — all of these comments have helped
@xallax and @9tut
Q7 – the others who have pointed this out before me are right and the last part of the explanation given is WRONG. Whilst it is true that NAT can work in the opposite direction (outside to inside), in this case the Outside Global address remains unaffected on the return destination through the NAT router to the host.
So, the following is INCORRECT,
From Corp to Host A:
+ Source: 192.168.10.254:80 & Destination: 192.168.10.34:3015
it should read:
From Corp to Host A:
+ Source: 200.15.239.128:80 & Destination: 192.168.10.34:3015
In the case of this translation, the Outside Local address (the address of the External host which is seen in the Internal Network) = Outside Global Address
If the former where true, we would not see the Outside Global address of the web server show in the hosts ‘netstat’ command output. Remember – the Host INITIATED the request to the Web Server. It has no idea that the request has to be NAT’ed and would not understand a request coming back from a source IP on the internal interface of the router.
If you don’t believe me, simply open the NAT SIM from this very site in packet tracer, run a simulation and ping the external router – watch what happens to the packet on its return path.
Further, run the “sh ip net translations” command on the ‘Weaver’ Router after a ping from a host to the external router and you will see what I mean.
FYI – Output from the “sh ip nat translations” command from the NAT2 SIM
Weaver#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 198.18.184.105:1 192.168.100.18:1 192.0.2.114:1 192.0.2.114:1
icmp 198.18.184.105:2 192.168.100.18:2 192.0.2.114:2 192.0.2.114:2
icmp 198.18.184.105:3 192.168.100.18:3 192.0.2.114:3 192.0.2.114:3
icmp 198.18.184.105:4 192.168.100.18:4 192.0.2.114:4 192.0.2.114:4
I am taking the ccna in 3 weeks and am looking for the latest ccna dumps/ Can someone at 9tut send them to dnheald@gmail.com. thanks
@xallax and @9tut
I agree with Anonymous and everyone that is saying that the last statement of the explanation for Q7 is incorrect.
From Corp to Host A:
+ Source: 192.168.10.254:80 & Destination: 192.168.10.34:3015
I want to emphasize that I totally agree with the answer of Q7 and that I understand where is coming from, I just think the last statement of the explanation should be
From Corp to Host A:
+ Source: 200.15.239.128:80 & Destination: 192.168.10.34:3015
Why:
1 – Host A initiates a web request
2 – Web request uses HTTP that its encapsulated in TCP using port 80
3 – VERY IMPORTANT: TCP protocol uses 3way-handshake to establish a connection
4 – Host A sends a SYN expecting to receive SYN-ACK from WWW Server 200.15.239.128
5 – But according to explanation, as the reply from WWW Server leaves the Corp Router the source ip address changed to 192.168.10.254:80 which is the ip assigned to the interface of Corp Router.
6 – Host A will receive this packet and be like: “hey, what the hell is this SYN-ACK packet coming from 192.168.10.254:80″ “wait shouldn’t be the SYN-ACK coming from 200.15.239.128 which is the address of the web server that I requested? ” :-)
7 – As a result no connection will be established
8 – As the reply from web server is traveling back to reach HostA the source address 200.15.239.128:80 should never be changed.
I really hope you could understand my point.
This is an interesting discussion. Please reply back. I’m always open to the possibility of being wrong. Best regards from Costa Rica Pura Vida !!!!!!
@Anonymous, @Danilin: Yes, it is a mistake. The last packet should have
Source: 200.15.239.128:80 & Destination: 192.168.10.34:3015
Thanks for your detection. I updated it!
In Q 3 why the packets will be dropped as per the explanation given for option E ??? Why the packets won’t be forwarded directly to the host in DMZ network without any translation??? Please somebody explain to me.
Hi All, does anyone have the latest dumps? If so could you please send to:
Colinaevans@hotmail.co.uk
Thanks in advance :)
@Aniruddha, re Q3
E. Internet hosts may not initiate connections to DMZ Devices through the configuration that is shown.
E is correct because of the command “ip nat inside source list 1 interface serial0/0 overload” command. All inside and DMZ packets are natted to 128.107.1.1. Outside networks will only see packets from the 128.107.1.1 address and all the 128.107.1.128-254 are hidden behind the 128.107.1.1 address therefore no outside hosts can initiate packets sent directly to the public addressed DMZ network
I hope this helps your understanding.
Q&7 is confusing — the wording of the question and what is it that they really want
I half way understand it ===not sure what I will do if I see it on test
9tut — will you please update your explanation of q7?
q3 pls can any one tell me what is required to be configured inorder internet host to access DMZ device
Hi all, I am taking CCNA 640-802 exam first time on 30/05/2012. Could anyone please send me latest dumps which are valid for UK? My e-mail address is puneet_gill84@yahoo.co.uk. Many thanks.
Hi 9tut and xallax,
Please help me with the question below.
http://i50.tinypic.com/1fiqgn.gif
how come the answer is D.
thanks in advance.
@jay
that question was incorrectly copied :)
please read Q9 from http://www.9tut.com/ccna-operations
cheers
Q7 — I find the wording of the question to be a bit odd. The first time I read it — I did not know what the question was asking. Thanks 9tut — without your explanations — I would be lost by some of these questions
@geedub
Re Q7 – The question
” Which statement about packet addresses are true during data exchange when host A makes Web-request to WWW Server, considering that there is NAT overload scheme for data passing from Corp LAN hosts to outside networks in use?”
Is asking what are the correct NAT translations happening when host 192.168.10.34 communicates with server 200.15.239.128 via WWW (80).
Since the NAT Overload is being used, host 192.168.10.34 is using port 3015 and this will be natted to 234.15.27.225:3015 so the communication from host to server will be:
Src 234.15.27.225:3015 >>>> Dest 200.15.239.128:80
Server reply response will be:
Src 200.15.239.128:80 >>>>> Dest 234.15.27.225:3015
Therefore E is the only answer that agrees to the above.
Hope this helps.
Thanks xallax.