CCNA – NAT & PAT Questions
Here you will find answers to NAT & PAT Questions
Note: If you are not sure about NAT & PAT, please read my NAT tutorial.
Refer to the exhibit. What does the (*) represent in the output?
|02:16:29: NAT: s=10.10.0.2->126.96.36.199, d=188.8.131.52 
02:16:29: NAT: s=184.108.40.206, d=220.127.116.11->10.10.0.2 
62:16:29: NAT*: s=10.10.0.2->18.104.22.168, d=22.214.171.124 
02:16:29: NAT*: s=10.10.0.2->126.96.36.199, d=188.8.131.52 
A. Packet is destined for a local interface to the router.
B. Packet was translated, but no response was received from the distant device.
C. Packet was not translated, because no additional ports are available.
D. Packet was translated and fast switched to the destination.
The above output is from the “debug ip nat” command. In this output, the first two lines show the Domain Name System (DNS) request and reply debugging output.
In the first line (DNS request):
s=10.10.0.2->184.108.40.206: source of the IP address (10.10.0.2) and how it is being translated (to 220.127.116.11)
d=18.104.22.168: destination address of the packet
: the IP identification number of the packet
In the second line (DNS reply):
s=22.214.171.124: source of the reply
d=126.96.36.199->10.10.0.2: how the destination is being translated
The remaining lines show debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. All Telnet packets, except for the first packet, were translated in the fast path, as indicated by the asterisk (*).
Note: If the connection is already established, the security appliance does not need to re-check packets and the packets are sent to the Fast Path.
Refer to the exhibit. What command sequence will enable PAT from the inside to outside network?
|ip nat pool isp-net 188.8.131.52 184.108.40.206 netmask 255.255.255.0
interface ethernet 1
description ISP Connection
ip address 220.127.116.11 255.255.255.0
ip nat outside
interface ethernet 0
description Ethernet to Firewall eth0
ip address 10.10.0.1 255.255.255.0
ip nat inside
access-list 1 permit 10.0.0.0 0.255.255.255
A. (config)# ip nat pool isp-net 18.104.22.168 netmask 255.255.255.0 overload
B. (config-if)# ip nat outside overload
C. (config)# ip nat inside source list 1 interface ethernet1 overload
D. (config-if)# ip nat inside overload
The command “ip nat inside source list 1 interface ethernet1 overload” means:
+ “ip nat”: use NAT
+ “inside”: NAT from inside to outside
+ “source list 1″: the source addresses can be found in access list 1
+ “interface ethernet1″: NAT out of this interface
+ “overload”: use NAT overload (PAT)
Refer to the exhibit. A junior network engineer has prepared the exhibited configuration file. What two statements are true of the planned configuration for interface fa0/1? (Choose two)
A. The two FastEthernet interfaces will require NAT configured on two outside serial interfaces.
B. Address translation on fa0/1 is not required for DMZ Devices to access the Internet.
C. The fa0/1 IP address overlaps with the space used by s0/0.
D. The fa0/1 IP address is invalid for the IP subnet on which it resides.
E. Internet hosts may not initiate connections to DMZ Devices through the configuration that is shown.
Answer: B E
Both inside FastEthernet interfaces can use only one outside interface to go to the Internet -> A is not correct.
DMZ devices use IP addresses in the range of 22.214.171.124/25 which are public IP addresses so they don’t need address translation to access the Internet -> B is correct.
The fa0/1 interface’s IP address is 126.96.36.199 255.255.255.128 (range from 188.8.131.52 to 184.108.40.206) while the IP address of s0/0 is 220.127.116.11 255.255.255.252 (ranges from 18.104.22.168 to 22.214.171.124) so they are not overlapped with each other -> C is not correct.
DMZ devices are in the range of 126.96.36.199/25 (from 188.8.131.52 to 184.108.40.206) and fa0/1 IP address (220.127.116.11) is a valid IP address on this subnet -> D is not correct.
DMZ devices (and other internal hosts) are using dynamic PAT, which is a type of dynamic NAT. With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. In other words, if DMZ devices communicate with outside hosts first, dynamic translation works fine. But if outside hosts communicate with DMZ devices first, no translation is created in NAT table and the packets will be dropped. This is the reason why “Internet hosts may not initiate connections to DMZ Devices through the configuration that is shown” -> E is correct.
Refer to the exhibit. What statement is true of the configuration for this network?
A. The configuration that is shown provides inadequate outside address space for translation of the number of inside addresses that are supported.
B. Because of the addressing on interface FastEthernet0/1, the Serial0/0 interface address will not support the NAT configuration as shown.
C. The number 1 referred to in the ip nat inside source command references access-list number 1.
D. ExternalRouter must be configured with static routers to network 172.16.2.0/24
The “list 1″ refers to the access-list number 1.
What are two benefits of using NAT? (choose two)
A. NAT protects network security because private networks are not advertised.
B. NAT accelerates the routing process because no modifications are made on the packets.
C. Dynamic NAT facilitates connections from the outside of the network.
D. NAT facilitates end-to-end communication when IPsec is enable.
E. NAT eliminates the need to re-address all host that require external access.
F. NAT conserves addresses through host MAC-level multiplexing.
Answer: A E
By not reveal the internal Ip addresses, NAT adds some security to the inside network -> A is correct.
NAT has to modify the source IP addresses in the packets -> B is not correct.
Connection from the outside of the network through a “NAT” network is more difficult than a more network because IP addresses of inside hosts are hidden -> C is not correct.
In order for IPsec to work with NAT we need to allow additional protocols, including Internet Key Exchange (IKE), Encapsulating Security Payload (ESP) and Authentication Header (AH) -> more complex -> D is not correct.
By allocating specific public IP addresses to inside hosts, NAT eliminates the need to re-address the inside hosts -> E is correct.
NAT does conserve addresses but not through host MAC-level multiplexing. It conserves addresses by allowing many private IP addresses to use the same public IP address to go to the Internet -> F is not correct.
Which two statements about static NAT translations are true? (choose two)
A. They are always present in the NAT table.
B. They allow connection to be initiated from the outside.
C. They can be configured with access lists, to allow two or more connections to be initiated from the outside.
D. They require no inside or outside interface markings because addresses are statically defined.
Answer: A B
With static NAT, translations exist in the NAT translation table as soon as you configure static NAT command(s), and they remain in the translation table until you delete the static NAT command(s).
With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table.
-> A is correct.
Because static NAT translations are always present in the NAT table so outside hosts can initiate the connection without being dropped -> B is correct.
Static translations can not be configured with access lists. To configure static NAT, we only need to specify source IP, NAT IP, inside interface & outside interface.
-> C is not correct.
We have to specify which is the inside and outside interface -> D is not correct.
For your information, below is an example of configuring static NAT:
R0(config-if)#ip nat inside
R0(config-if)#ip nat outside
R0(config)#ip nat inside source static 10.0.0.1 18.104.22.168
Refer to the exhibit. Which statement about packet addresses are true during data exchange when host A makes Web-request to WWW Server, considering that there is NAT overload scheme for data passing from Corp LAN hosts to outside networks in use?
A. Source 22.214.171.124:3015 and destination 126.96.36.199:80
B. Source 188.8.131.52:3015 and destination 192.168.10.34:80
C. Destination 192.168.10.11:3015 and source 184.108.40.206:80
D. Source 192.168.10.34:80 and destination 192.168.10.254:3015
E. Destination 220.127.116.11:3015 and source 18.104.22.168:80
From A to Corp router:
+ Source: 192.168.10.34: 3015 & Destination: 22.214.171.124:80
From Corp to WWW Server:
+ Source: 126.96.36.199:3015 & Destination: 188.8.131.52:80
From WWW Server to Corp:
+ Source: 184.108.40.206:80 & Destination: 220.127.116.11:3015
From Corp to Host A:
+ Source: 18.104.22.168:80 & Destination: 192.168.10.34:3015
So the only correct answer is E (from WWW server to Corp)