Cisco CCNA mock exam questions sample test – Question 371

.You need to configure Network Address Translation (NAT) to allow users access to the Internet. There are 62 private hosts that need Internet access using the private network
10.4.3.64 /26, and all of them will be translated into the public IP address of the serial interface.
Which of the following NAT configurations will allow all 62 hosts to have simultaneous Internet access?

A. Router(config)# ip nat pool POOLNAME 10.4.3.64 /26
Router(config)# interface s0
Router(config-if)# ip nat inside source 1 pool POOLNAME overload
B. Router(config)# access-list 1 permit 10.4.3.64 0.0.0.127
Router(config)# interface s0/0
Router(config-if)# ip nat source list 1 pool POOLNAME overload
C. Router(config)# access-list 1 permit 10.4.3.64 /26
Router(config)# ip nat inside source list 1 interface serial 0
D. Router(config)# access-list 1 permit 10.4.3.64 0.0.0.63
Router(config)# ip nat inside source list 1 interface serial 0 overload

Correct Answer: D

Explanation:
You should execute the following commands:
Router(config)# access-list 1 permit 10.4.3.64 0.0.0.63
Router(config)# ip nat inside source list 1 interface serial 0 overload
A successful NAT configuration requires the creation of an access control list (ACL) to identify the private IP addresses that will be translated, as well as an ip nat inside source
command to dictate what public IP addresses will be used for translation. Cisco uses the term “inside local” for IP addresses prior to translation, and “inside global” for public IP
addresses after translation.
The access-list 1 permit 10.4.3.64 0.0.0.63 command correctly identifies the private host network of 10.4.3.64 /26, consisting of 62 hosts.
The ip nat command is broken down as follows:
inside: indicates that packets received on the inside (private) interface will be translated
list 1: specifies that access list 1 will be used to determine which private IP addresses will be translated
interface serial 0: specifies that NAT will translate private IP addresses into the IP address of the serial 0 interface
overload: allows NAT to reuse the IP address of the serial interface for all private IP addresses, providing them simultaneous access to the Internet
The correct wildcard mask is critical to ensuring that the access list allows translation of all LAN devices. For example, if the private LAN used the 192.168.9.0/24 network and 167
devices were present in the network, the correct wildcard mask would be 0.0.0.255. If you used an incorrect wildcard mask, such as 0.0.0.3, only the 192.168.9.0/30 network would be
allowed translation (only the IP addresses 192.18.9.1 and 192.168.19.2.) Of the 167 devices, 165 would not receive translation.
The overload keyword is required in this configuration, since there are more private IP addresses (62) than there are public IP addresses (one). Overload activates NAT overloading,
often called Port Address Translation (PAT), and assigns each private IP address a unique, dynamic source port in router memory to track connections. If the overload keyword were
not included in the NAT configuration, only one private host could access the Internet at a time.
An alternate solution would involve the creation of a pool of public IP addresses on the NAT router, and applying the access control list to the NAT pool:
Router(config)# ip nat pool NATPOOL 201.52.4.17 201.52.4.22 netmask 255.255.255.248
Router(config)# ip nat inside source list 1 pool NATPOOL overload
The first command creates a NAT pool with six public IP addresses on subnet 201.52.4.16/29, which will be used for translation. The second command then ties access list 1 to the
NAT pool, and specifies overload so that the six public addresses can be reused as often as necessary, allowing all of the private IP addresses simultaneous Internet access.
In both of these examples, dynamic mapping is used. Without dynamic mapping, it is not possible for computers from outside the network to establish a connection with computers
inside the network unless a static mapping between the private IP address and the public IP address is established on the NAT device.
A common alternative approach is to use public IP addresses in the DMZ rather than private IP addresses, and to place any computers than must be accessed from outside the
network in the DMZ. In this case, NAT is not required between the DMZ devices and the Internet. Even if public IP addresses are used in the DMZ, if the addresses undergo NAT
translation, connections from outside the network will not be possible.
When NAT is used to translate a public IP address (or addresses) to private IP addresses, the NAT process is ONLY implemented on the router that connects the network to the
Internet. This is because private IP addresses are not routable to the Internet, and translation must occur where the network connects to the Internet.
The following command sets are incorrect because they both involve the creation of a NAT pool:
Router(config)# ip nat pool POOLNAME 10.4.3.64 /26
Router(config)# interface s0
Router(config-if)# ip nat inside source 1 pool POOLNAME overload
and
Router(config)# access-list 1 permit 10.4.3.64 0.0.0.127
Router(config)# interface s0/0
Router(config-if)# ip nat source list 1 pool POOLNAME overload
The scenario states you must use the IP address of the serial interface as the public address. Also, the ip nat inside source command is configured in global configuration mode, not
interface configuration mode. Finally, access control lists require inverse masks (such as 0.0.0.63). CIDR notation (as in POOLNAME 10.4.3.64 /26) is not allowed.
The following command set is incorrect because access control lists require inverse masks (such as 0.0.0.63) and CIDR notation (/26) is not allowed:
Router(config)# access-list 1 permit 10.4.3.64 /26
Router(config)# ip nat inside source list 1 interface serial 0
Also, the ip nat inside source command is configured in global configuration mode, not interface configuration mode.
Objective:
Infrastructure Services
Sub-Objective:
Configure, verify, and troubleshoot inside source NAT