CCNA – NAT & PAT Questions
Here you will find answers to NAT & PAT Questions
Note: If you are not sure about NAT & PAT, please read my NAT tutorial.
Question 1
Refer to the exhibit. What does the (*) represent in the output?
| 02:16:29: NAT: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51607] 02:16:29: NAT: s=1.2.4.1, d=1.2.4.2->10.10.0.2 [55227] 62:16:29: NAT*: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51608] 02:16:29: NAT*: s=10.10.0.2->1.2.4.2, d=1.2.4.1 [51609] |
A. Packet is destined for a local interface to the router.
B. Packet was translated, but no response was received from the distant device.
C. Packet was not translated, because no additional ports are available.
D. Packet was translated and fast switched to the destination.
Answer: D
Explanation
The above output is from the “debug ip nat” command. In this output, the first two lines show the Domain Name System (DNS) request and reply debugging output.
In the first line (DNS request):
s=10.10.0.2->1.2.4.2: source of the IP address (10.10.0.2) and how it is being translated (to 1.2.4.2)
d=1.2.4.1: destination address of the packet
[51607]: the IP identification number of the packet
In the second line (DNS reply):
s=1.2.4.1: source of the reply
d=1.2.4.2->10.10.0.2: how the destination is being translated
The remaining lines show debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. All Telnet packets, except for the first packet, were translated in the fast path, as indicated by the asterisk (*).
Note: If the connection is already established, the security appliance does not need to re-check packets and the packets are sent to the Fast Path.
(Reference: http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_i2gt.html)
Question 2
Refer to the exhibit. What command sequence will enable PAT from the inside to outside network?
| ip nat pool isp-net 1.2.4.10 1.2.4.240 netmask 255.255.255.0 ! interface ethernet 1 description ISP Connection ip address 1.2.4.2 255.255.255.0 ip nat outside ! interface ethernet 0 description Ethernet to Firewall eth0 ip address 10.10.0.1 255.255.255.0 ip nat inside ! access-list 1 permit 10.0.0.0 0.255.255.255 |
A. (config)# ip nat pool isp-net 1.2.4.2 netmask 255.255.255.0 overload
B. (config-if)# ip nat outside overload
C. (config)# ip nat inside source list 1 interface ethernet1 overload
D. (config-if)# ip nat inside overload
Answer: C
Explanation
The command “ip nat inside source list 1 interface ethernet1 overload” means:
+ “ip nat”: use NAT
+ “inside”: NAT from inside to outside
+ “source list 1″: the source addresses can be found in access list 1
+ “interface ethernet1″: NAT out of this interface
+ “overload”: use NAT overload (PAT)
Question 3
Refer to the exhibit. A junior network engineer has prepared the exhibited configuration file. What two statements are true of the planned configuration for interface fa0/1? (Choose two)
A. The two FastEthernet interfaces will require NAT configured on two outside serial interfaces.
B. Address translation on fa0/1 is not required for DMZ Devices to access the Internet.
C. The fa0/1 IP address overlaps with the space used by s0/0.
D. The fa0/1 IP address is invalid for the IP subnet on which it resides.
E. Internet hosts may not initiate connections to DMZ Devices through the configuration that is shown.
Answer: B E
Explanation
Both inside FastEthernet interfaces can use only one outside interface to go to the Internet -> A is not correct.
DMZ devices use IP addresses in the range of 128.107.1.128/25 which are public IP addresses so they don’t need address translation to access the Internet -> B is correct.
The fa0/1 interface’s IP address is 128.107.1.254 255.255.255.128 (range from 128.107.1.128 to 128.107.1.255) while the IP address of s0/0 is 128.107.1.1 255.255.255.252 (ranges from 128.107.1.0 to 128.107.1.4) so they are not overlapped with each other -> C is not correct.
DMZ devices are in the range of 128.107.1.128/25 (from 128.107.1.128 to 128.107.1.255) and fa0/1 IP address (128.107.1.254) is a valid IP address on this subnet -> D is not correct.
DMZ devices (and other internal hosts) are using dynamic PAT, which is a type of dynamic NAT. With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. In other words, if DMZ devices communicate with outside hosts first, dynamic translation works fine. But if outside hosts communicate with DMZ devices first, no translation is created in NAT table and the packets will be dropped. This is the reason why “Internet hosts may not initiate connections to DMZ Devices through the configuration that is shown” -> E is correct.
Question 4
Refer to the exhibit. What statement is true of the configuration for this network?
A. The configuration that is shown provides inadequate outside address space for translation of the number of inside addresses that are supported.
B. Because of the addressing on interface FastEthernet0/1, the Serial0/0 interface address will not support the NAT configuration as shown.
C. The number 1 referred to in the ip nat inside source command references access-list number 1.
D. ExternalRouter must be configured with static routers to network 172.16.2.0/24
Answer: C
Explanation
The “list 1″ refers to the access-list number 1.
Question 5
What are two benefits of using NAT? (choose two)
A. NAT protects network security because private networks are not advertised.
B. NAT accelerates the routing process because no modifications are made on the packets.
C. Dynamic NAT facilitates connections from the outside of the network.
D. NAT facilitates end-to-end communication when IPsec is enable.
E. NAT eliminates the need to re-address all host that require external access.
F. NAT conserves addresses through host MAC-level multiplexing.
Answer: A E
Explanation
By not reveal the internal Ip addresses, NAT adds some security to the inside network -> A is correct.
NAT has to modify the source IP addresses in the packets -> B is not correct.
Connection from the outside of the network through a “NAT” network is more difficult than a more network because IP addresses of inside hosts are hidden -> C is not correct.
In order for IPsec to work with NAT we need to allow additional protocols, including Internet Key Exchange (IKE), Encapsulating Security Payload (ESP) and Authentication Header (AH) -> more complex -> D is not correct.
By allocating specific public IP addresses to inside hosts, NAT eliminates the need to re-address the inside hosts -> E is correct.
NAT does conserve addresses but not through host MAC-level multiplexing. It conserves addresses by allowing many private IP addresses to use the same public IP address to go to the Internet -> F is not correct.
Question 6
Which two statements about static NAT translations are true? (choose two)
A. They are always present in the NAT table.
B. They allow connection to be initiated from the outside.
C. They can be configured with access lists, to allow two or more connections to be initiated from the outside.
D. They require no inside or outside interface markings because addresses are statically defined.
Answer: A B
Explanation
With static NAT, translations exist in the NAT translation table as soon as you configure static NAT command(s), and they remain in the translation table until you delete the static NAT command(s).
With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table.
-> A is correct.
Because static NAT translations are always present in the NAT table so outside hosts can initiate the connection without being dropped -> B is correct.
Static translations can not be configured with access lists. To configure static NAT, we only need to specify source IP, NAT IP, inside interface & outside interface.
-> C is not correct.
We have to specify which is the inside and outside interface -> D is not correct.
For your information, below is an example of configuring static NAT:
R0(config)#int f0/0
R0(config-if)#ip nat inside
R0(config-if)#int f0/1
R0(config-if)#ip nat outside
R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2
(Reference: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml)
Question 7
Refer to the exhibit. Which statement about packet addresses are true during data exchange when host A makes Web-request to WWW Server, considering that there is NAT overload scheme for data passing from Corp LAN hosts to outside networks in use?
A. Source 234.15.27.226:3015 and destination 234.15.27.225:80
B. Source 200.15.239.128:3015 and destination 192.168.10.34:80
C. Destination 192.168.10.11:3015 and source 200.15.239.128:80
D. Source 192.168.10.34:80 and destination 192.168.10.254:3015
E. Destination 234.15.27.225:3015 and source 200.15.239.128:80
Answer: E
Explanation
From A to Corp router:
+ Source: 192.168.10.34: 3015 & Destination: 200.15.239.128:80
From Corp to WWW Server:
+ Source: 234.15.27.225:3015 & Destination: 200.15.239.128:80
From WWW Server to Corp:
+ Source: 200.15.239.128:80 & Destination: 234.15.27.225:3015
From Corp to Host A:
+ Source: 200.15.239.128:80 & Destination: 192.168.10.34:3015
So the only correct answer is E (from WWW server to Corp)
pls any1 send me d latest dumps…my mail id is adarsh.p281@gmail.com
can anyone send me the latest dumps at my email address a4asif50@hotmail.com
thanks
and can anyone also indicate that are these questions at 9tut are still vaild???
thanks again
Please anyone send me the latest dumps at my email address md_mamun@hotmail.com
hi
i am confused about Question 3 and 4
plzzz help me step by step : (
very very useful>>>>>>>>>>>>>
Q7, the question is worded a bit strange
Q7 is confusing me a little bit.
First, what is questioned here? I think, it’s the data flow from host A to the webserver. So the IP-Paket goes from
a) host A –> router Corp
b) router Corp –> router ISP
c) router ISP –> webserver
At these hops the IP-pakets have several source and destination IP-addresses.
a) source: 192.168.10.34:3015, destination: 200.15.239.128:80
b) source: 234.15.27.225:3015, destination: 200.15.239.128:80
c) source: 234.15.27.225:3015, destination: 200.15.239.128:80
So, no answer is matching here.
Besides the PAT-theme, in this question is also a routing problem.
Host A has the ip-address 192.168.10.34/28 and the interface of router Corp has the ip-address 192.168.10.254/28.
So they are not in the same subnet. The data will never flow to the webserver.
Could you clarify these once again, please?
Hi there. Taking CCNA in two weeks. Can anyone send me latest dumps? rjohn326@gmail.com? thank you!
pattiNC / Just a note to say I love the new site so glad to see after all these years he finally has a site that looks good, and is upteadd! Great new pics love Matt C! I know you mentioned about his Twitter pic being his decision I was just hoping he’d kick off this whole new site w/ a new pics..but then 670K followers might faint :) Thanks for a great site!!
TY 9tut.
Today I have passed the CCNA. (860/825)
50 questions 3 labs (VTP, EIGRP, ACL). 35 from 9tut.
Also thanks a lot Brar and Sekhar (still valid from examcollection)
Ty again 9tut
from here Q 7
Question 7, I don’t see the correct answer.
Wouldn’t be this: Source 192.168.10.34:80 and destination 200.15.239.128:80
Or maybe:
Source: 234.15.27.225:3015 and destination: 234.15.27.226:3015
Warm in the winter and cool in the summer, genuine Ugg Boots are made of Australian double-faced sheepsking, generally Australian Merino Sheepskin. The highest quality close to! Saving a couple of bucks will get you some synthetic fiber that’s not the exact same.
uggs sverige äkta http://www.billigauggsrea.net
Windows boots into mend mode
genuine ugg boots uk http://www.cheaprealuggbootsuk.org
Pls send me latest dumps to alexsukete@hotmail.com
please send me latest dumps to aungyekyaw2020@gmail.com thanks
Today I have passed with 960/1000……..Thanks to GOD
Thanks to 9TUT …….Sekhar……P4S
please send me latest dumps to gurukr496@gtmail.com plz
please send me latest dumps to gurukr496@gmail.com plz
Question 7 is absolutely wrong,,,, the data is flowing from host to web server,,” when host A makes Web-request to WWW Server ” mmmmm
Hey all, how do you devote your holidays?
Question 7:
The question says “nothing” about which portion of the request to consider. After the host makes the request, data flows from host to web server and from web server back to host, hence the choice of E as te correct answer.
I agree that the question could have been worded differently (by indicating the direction in which the data flows, but … isn’t Cisco famous for asking unclear/confusing questions? That’s one of the reasons why many of us fail the first time.
Hi All,
Can any one let me know the difference between NAT & PAT?
Thanks,
Majeed.
There are many kinds of Nat, One of them is a pat , Port Address Translation: Simple, when you have a big company, You will have a lot of hosts in the inside of your network. Let say you have 1000 computers, you would need these 1000 host reach the internet, or just simple surf and use in the Internet. These 1000 host will have a private ip address scheme. But you would need to call an ISP to get at less one public ip address ¨100.100.100.100¨, when something from the inside network tries to surf to the internet. Your router will tranlate the inside ip 192.168.1.1 in 100.100.100.100. That is amazing, because you have 1000 computers and if they need to go to the internet, they will be translated in the public ip ¨100.100.100.100¨
Let say you go to 4.2.2.2 ¨DNS of google I think¨ 4.2.2.2 is public ip address. If you try to send an icmp packet from inside 192.168.1.2 , The host 4.2.2.2 will be able to see that ¨100.100.100.100¨ is requesting icmp packets
192.168.1.0 /24 —————-Router(100.100.100.100)——-cloud———4.2.2.2
You can send an icmp from 192.168.1.2 to 4.2.2.2 because the 192.168.1.2 it will be translated or natted in the 100.100.100.100
One thing you need to make sure is that 100.100.100.100 is reachable in the cloud because it is a public ip address.
Nat is very complicated. You need to see the packet flow when the packet is generated from the inside.
The first packet will leave your computer like this. This is a layer 3 flow. You can check that in this link bellow
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
pc-192.168.1.1——————inside–router–outside(100.100.100.100)——-cloud———4.2.2.2
ip nat inside source list 100 f0/1 overload
access-list 100 permit ip 192.168.1.0 255.255.255.0 any
ip route 0.0.0.0 0.0.0.0.0 100.100.100.101
inter f0/0
ip nat inside
inter f0/1
ip nat outside
ip address 100.100.100.100 255.255.255.0
Pc
Source 192.168.1.1 –destination 4.2.2.2
The router gets the packet, it will try to match some things before and Then it will see that it matches the nat stament. It sees that the packet is coming from the inside and check the interface and see this command ¨ip nat inside¨ based on the routing table, it sees the default routing which says the packet needs to be sent to the outside interface and has the nat stament of ip nat outside in this interface f0/1.
Then the router matches the access list 100 because the packet is coming 192.168.1.0 to any.
The packets gets to the router and the source change to 100.100.100.100
Source 192.168.1.1 –destination 4.2.2.2
Source 100.100.100.100 –destination 4.2.2.2
The packets get to 4.2.2.2
Then the packet flows goes from 4.2.2.2 to 100.100.100.100
Source 4.2.2.2 –destination 100.100.100.100
the packet get to the outside interface of the router and the router sees the xlate table entry and look for an specific entry with the port and untraslate the packet from 100.100.100.100 to 192.168.1.1.
Then the packet will leave the router like this
Source 4.2.2.2 –destination 192.168.1.1.
The pc will not drop the packet because it matches the same, it just try out to reach.
Sorry I made this complicated. But this is one of the most dificult things to learn. It is easier to get a paper and practice and practice but always try to see the packet flow and how the router will process the packet with the link above. That is very useful.
please send me latest dumps to vhl79@hotmail.com thanks!!
@9tut
what is the write syntax (the interfaces first or nat first )
::::
R0(config)#int f0/0
R0(config-if)#ip nat inside
R0(config-if)#int f0/1
R0(config-if)#ip nat outside
R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2
::::::::::::::::::
R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2
R0(config)#int f0/0
R0(config-if)#ip nat inside
R0(config-if)#int f0/1
R0(config-if)#ip nat outside
Kindly send me latest dumps and labs in my email mario_azucena@yahoo.com. Thanks a lot!
@ jad… it does not matter if yopu put the ip nat inside / ip nat outside first it will not work until you put ip nat inside source static 10.0.0.1 200.0.0.2 and vise versa if you configure ip nat inside source static 10.0.0.1 200.0.0.2 and does not put the ip nat inside/ ip nat outside on the interface it will not work… there is no correct order of which is first! if I am wrong then correct me!
People should stop asking for dumps. I don’t know how many people even get dumps sent to their email just by asking on 9tut. I’m always deeply worried about people who sit for their CCNA yet, cannot perform a simple google search for CCNA dumps themselves.
I think Ques. 7 topology is wrong… here PC IP is 192.168.10.34/28…but Corp router interface IP is 192.168.10.254/28, which is not in same network… Am I right??? Then how the network will work??? Will 9tut answer it???
can some one help me with DHomesb Final Exam – CCNA Discovery: Networking for Home and Small Businesses (Version 4.0) REV 2
can some one help me with DHomesb Final Exam – CCNA Discovery: Networking for Home and Small Businesses (Version 4.0) REV 2. please send me the link or answers to my in box
koufie@consultant.com
please send me latest dumps to : abdessamad.elaouni@gmail.com thanks!!
I can`t understand question 7 … can someone please explane to me the question ? many thanks
kevin explained very well the nat process and how the router process the packet
walla please check the explanation of Kevin it is very useful
Hi there. Taking CCNA in a weeks. Can anyone send me latest dumps? gugunwasp@gmail.com? thank you!
@GUN jst follow the link below and get access to several latest dump: http://www.examcollection.com/640-802.html
i will be writing my own on 2nd march jst praying 4 God Favour
Can anyone send me latest dumps?
mariovalidzic1@gmail.com
q 5 was in the exam today
send the latest dums
akshsonu64@gmail.com
can any one please send me the latest dumps to bangufibo@gmail.com? thanks. am preparing for certification.
can any one please send me the latest dumps to boubachezkamdem@yahoo.fr? thanks. am getting ready for the certification.
I will take the CCNA exam on March 26th. any help you can send me grateful. my email is kelvin-cruz@hotmail.com
I completed ccna with 986/1000 .I prepard exam only with the help of pass4sure v10 653 questions .Which was realy helpful .
Those who want contact me myjobs986@gmail.com
i have exam ccna next week >> if u can any buddy help me … mamo.alashee@gmail.com
http://i48.tinypic.com/2cgmutd.png
could any one explain to me this question
Please help i want to give ccna exam next week please sent Latest dumps on
namdeo.pawan@gmail.com
i think there’s something wrong with the explanation in q7
Hey Guys, Can u send the last dump?
mmanzur2005@gmail.com