Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← NAT and PAT practice sets

300-410 NAT and PAT • Complete Question Bank

300-410 NAT and PAT — All Questions With Answers

Complete 300-410 NAT and PAT question bank — all 0 questions with answers and detailed explanations.

76
Questions
Free
No signup
Certifications/300-410/Practice Test/NAT and PAT/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting connectivity from a host inside a corporate network to a public web server. The host has IP 10.1.1.10/24, and the router's outside interface is 203.0.113.1/24. The engineer configured a dynamic NAT pool (203.0.113.10-203.0.113.20) and an access list permitting 10.1.1.0/24. However, traffic from the host fails. A 'show ip nat translations' reveals no translations. What is the most likely cause?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting PAT (overload) on a Cisco router. The inside network uses 192.168.1.0/24, and the outside interface has IP 198.51.100.1. The engineer configured 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. Traffic from inside hosts works initially, but after a few minutes, new connections fail. 'Show ip nat translations' shows many entries with the same outside global IP but different ports. 'Show ip nat statistics' indicates that the number of translations is near 500. What is the most likely cause?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

An engineer configures static NAT on a router to map a public IP 203.0.113.5 to an internal server 10.0.0.5. The configuration includes 'ip nat inside source static 10.0.0.5 203.0.113.5'. The server is reachable from the outside, but the server cannot initiate connections to the outside network. 'Show ip nat translations' shows the static entry. What is the most likely cause?

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting NAT for a VoIP phone that uses SIP. The phone is at 192.168.2.10, and the router performs PAT to the outside interface 198.51.100.1. The phone can register with the SIP server, but calls fail after 30 seconds. The engineer notices that the SIP signaling includes the phone's private IP in the SDP body. What is the most likely cause?

Question 5mediummultiple choice
Study the full ACL explanation →

An engineer configures NAT on a router with 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. The inside hosts are 10.0.0.0/24, and the outside interface is 203.0.113.1. Traffic works for most hosts, but one host at 10.0.0.50 cannot access the internet. 'Show ip nat translations' shows no entry for this host. 'Show access-lists' shows ACL 1 permits 10.0.0.0 0.0.0.255. What is the most likely cause?

Question 6hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting NAT for a VPN tunnel. The router has a static NAT rule 'ip nat inside source static 10.0.0.10 203.0.113.10' for a server. The VPN traffic from the remote site to 203.0.113.10 is being NATed to 10.0.0.10, but the return traffic from the server to the remote site is not being translated back. The engineer sees that the server sends packets with source 10.0.0.10 to the remote site's public IP. What should the engineer do to fix this?

Question 7mediummultiple choice
Study the full ACL explanation →

An engineer configures NAT overload on a router. The inside network uses 172.16.0.0/16, and the outside interface is 198.51.100.1. The engineer uses 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. ACL 1 permits 172.16.0.0 0.0.255.255. Traffic works, but the engineer notices that the router's CPU utilization is high, and 'show ip nat translations' shows thousands of entries. What is the most likely cause?

Question 8hardmultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting NAT for a web server that is reachable from the internet via a static NAT mapping 203.0.113.20 to 10.0.0.20. The server responds to HTTP requests, but the engineer cannot SSH to the server from the internet. 'Show ip nat translations' shows the static entry. The router's ACL on the outside interface permits TCP port 22 to 203.0.113.20. What is the most likely cause?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

An engineer configures NAT on a router with 'ip nat inside source list 1 pool POOL overload' where POOL contains 203.0.113.1-203.0.113.5. The inside hosts are 10.0.0.0/24. Traffic works, but the engineer notices that some hosts are assigned the same public IP and port, causing conflicts. 'Show ip nat translations' shows entries with the same inside global IP and port for different inside local hosts. What is the most likely cause?

Question 10mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- ---

R1# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 45 Misses: 0 CEF Translated packets: 45, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 3 map-id 1 overload

[Id] ip nat inside source list ACL1 pool POOL1 overload

refcount 3

Based on this output, which statement is correct?

Question 11hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global udp 192.0.2.10:1234 10.0.0.10:1234 203.0.113.5:53 203.0.113.5:53 tcp 192.0.2.10:5678 10.0.0.10:5678 198.51.100.20:80 198.51.100.20:80 --- 192.0.2.11 10.0.0.11 --- ---

R1# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 100 Misses: 0 CEF Translated packets: 100, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 3 map-id 1 overload

[Id] ip nat inside source list ACL1 pool POOL1 overload

refcount 3

Based on this output, what is the problem?

Question 12mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 203.0.113.5 203.0.113.5 --- 192.0.2.11 10.0.0.11 203.0.113.5 203.0.113.5

R1# show ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 20 Misses: 0 CEF Translated packets: 20, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 2 map-id 1

[Id] ip nat inside source list ACL1 pool POOL1

refcount 2

Based on this output, which statement is correct?

Question 13easymultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- ---

R1# show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 5 Misses: 0 CEF Translated packets: 5, CEF Punted packets: 0 Expired translations: 0

Based on this output, which statement is correct?

Question 14hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global tcp 192.0.2.10:80 10.0.0.10:80 203.0.113.5:12345 203.0.113.5:12345 tcp 192.0.2.10:80 10.0.0.11:80 203.0.113.5:67890 203.0.113.5:67890

R1# show ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 2 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 50 Misses: 0 CEF Translated packets: 50, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat inside source list ACL1 interface GigabitEthernet0/1 overload

refcount 2

Based on this output, what is the problem?

Question 15mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- ---

R1# show ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 0 Misses: 10 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 2 map-id 1

[Id] ip nat inside source list ACL1 pool POOL1

refcount 2

Based on this output, what is the problem?

Question 16hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- --- --- 192.0.2.13 10.0.0.13 --- --- --- 192.0.2.14 10.0.0.14 --- --- --- 192.0.2.15 10.0.0.15 --- --- --- 192.0.2.16 10.0.0.16 --- --- --- 192.0.2.17 10.0.0.17 --- --- --- 192.0.2.18 10.0.0.18 --- --- --- 192.0.2.19 10.0.0.19 --- --- --- 192.0.2.20 10.0.0.20 --- ---

R1# show ip nat statistics

Total active translations: 11 (0 static, 11 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 200 Misses: 0 CEF Translated packets: 200, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 11 map-id 1

[Id] ip nat inside source list ACL1 pool POOL1

refcount 11

Based on this output, what is the problem?

Question 17mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- ---

R1# show ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 1 map-id 1

[Id] ip nat inside source list ACL1 pool POOL1

refcount 1

Based on this output, what is the problem?

Question 18easymultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global udp 192.0.2.10:10000 10.0.0.10:10000 203.0.113.5:53 203.0.113.5:53 udp 192.0.2.10:10001 10.0.0.11:10000 203.0.113.5:53 203.0.113.5:53 udp 192.0.2.10:10002 10.0.0.12:10000 203.0.113.5:53 203.0.113.5:53

R1# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 150 Misses: 0 CEF Translated packets: 150, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat inside source list ACL1 interface GigabitEthernet0/1 overload

refcount 3

Based on this output, which statement is correct?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

Consider the following partial configuration on a Cisco IOS-XE router:

interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside

!

interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 ip nat outside

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

Given this partial configuration:

ip nat pool MYPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
ip nat inside source list 1 pool MYPOOL
access-list 1 permit 192.168.1.0 0.0.0.255

What is the effect?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

Examine this configuration:

interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 ip nat inside

!

interface GigabitEthernet0/1
 ip address 198.51.100.1 255.255.255.0
 ip nat outside

!

ip nat inside source static tcp 10.0.0.10 80 198.51.100.10 8080 extendable

Which statement is true?

Question 22mediummultiple choice
Read the full NAT/PAT explanation →

What is the problem with this NAT configuration?

interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside

!

interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255
Question 23mediummultiple choice
Read the full NAT/PAT explanation →

Given this configuration:

ip nat pool GLOBAL 203.0.113.1 203.0.113.10 prefix-length 28
ip nat inside source list 10 pool GLOBAL overload
access-list 10 permit 10.0.0.0 0.255.255.255

What is the effect?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

Consider this partial configuration:

ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255

!

interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside

!

interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 ip nat outside

!

interface GigabitEthernet0/2
 ip address 172.16.0.1 255.255.255.0
 ip nat inside

What is true about traffic from the 172.16.0.0/24 network?

Question 25easymultiple choice
Read the full NAT/PAT explanation →

What is the default timeout for NAT translation entries in Cisco IOS?

Question 26mediummultiple choice
Read the full NAT/PAT explanation →

Which TCP flag combination triggers the NAT translation timeout to change from the default to the 'ip nat translation tcp-timeout' value?

Question 27mediummultiple choice
Read the full NAT/PAT explanation →

According to RFC 2663, what is the term for the process of translating both the source and destination IP addresses in a packet?

Question 28mediummulti select
Read the full NAT/PAT explanation →

Which TWO commands would a network engineer use to verify NAT translations and their statistics on a Cisco IOS router? (Choose TWO.)

Question 29mediummulti select
Read the full NAT/PAT explanation →

Which TWO statements about NAT overload (PAT) are true? (Choose TWO.)

Question 30mediummulti select
Read the full NAT/PAT explanation →

Which TWO configuration steps are required to implement static NAT on a Cisco IOS router? (Choose TWO.)

Question 31hardmulti select
Read the full NAT/PAT explanation →

Which THREE symptoms indicate that NAT is misconfigured or failing on a Cisco router? (Choose THREE.)

Question 32hardmulti select
Read the full NAT/PAT explanation →

Which THREE commands can be used to troubleshoot NAT issues on a Cisco IOS router? (Choose THREE.)

Question 33hardmultiple choice
Read the full VPN explanation →

A large enterprise network is experiencing intermittent connectivity failures for VoIP traffic traversing a DMVPN hub-and-spoke topology. Hub router R1 has the following relevant configuration: ip nat inside source list 100 interface Tunnel0 overload. Spoke router R2 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 10.1.1.1 192.168.1.1 203.0.113.1 203.0.113.1. VoIP calls drop after 30 seconds. What is the root cause?

Question 34hardmultiple choice
Read the full NAT/PAT explanation →

Router R1 is performing NAT for internal users to access the internet. The configuration includes: ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal hosts cannot reach a specific external server at 203.0.113.50. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 10.1.1.1 192.168.1.1 203.0.113.50 203.0.113.50. Debug ip nat shows 'NAT: translation failed (no buffer)'. What is the root cause?

Question 35hardmultiple choice
Read the full VRF explanation →

In a multi-VRF environment, Router R1 is leaking routes between VRF A and VRF B using route-target import/export. Hosts in VRF A can ping hosts in VRF B, but traffic from VRF B to VRF A fails when NAT is applied on the VRF A egress interface. Configuration: ip nat inside source list 100 interface GigabitEthernet0/1 vrf A overload. Router R1 shows: show ip nat translations vrf A: no entries. What is the root cause?

Question 36hardmultiple choice
Read the full NAT/PAT explanation →

Router R1 is configured with ip nat inside source list 100 interface Loopback0 overload. Internal hosts at 192.168.1.0/24 can access the internet, but external hosts cannot initiate connections to an internal server at 10.1.1.10 that is also behind NAT. The server is supposed to be reachable via static NAT. Configuration: ip nat inside source static tcp 10.1.1.10 80 interface Loopback0 80. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global tcp 10.1.1.10:80 10.1.1.10:80 --- ---. External users get connection timeouts. What is the root cause?

Question 37hardmultiple choice
Read the full NAT/PAT explanation →

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Users report that some websites load slowly or partially. Router R1 shows: show ip nat statistics: Total active translations: 65535 (0 static, 65535 dynamic; 65535 extended). The NAT pool is exhausted. What is the root cause?

Question 38hardmultiple choice
Read the full NAT/PAT explanation →

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal host 192.168.1.10 can ping external host 203.0.113.50, but cannot establish a TCP connection to port 443. Router R1 shows: debug ip nat: NAT: s=192.168.1.10->203.0.113.1, d=203.0.113.50 [0]. The external host shows no received packets. What is the root cause?

Question 39hardmultiple choice
Read the full NAT/PAT explanation →

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal hosts can access the internet, but traffic to a specific external server at 203.0.113.100 is being translated to a different source IP than expected. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 10.1.1.1 192.168.1.1 203.0.113.100 203.0.113.100. The server logs show connections from 10.1.1.1 instead of 203.0.113.1. What is the root cause?

Question 40hardmultiple choice
Read the full NAT/PAT explanation →

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal host 192.168.1.10 can access the internet, but when it tries to connect to an internal server at 10.1.1.10 via its public IP 203.0.113.10, the connection fails. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 10.1.1.10 --- ---. The host's traffic is being NATed to 203.0.113.1, but the server's response is sent to 203.0.113.1. What is the root cause?

Question 41hardmultiple choice
Read the full NAT/PAT explanation →

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal hosts can access the internet, but traffic to a specific external server at 203.0.113.200 is being dropped. Router R1 shows: show ip nat statistics: Total active translations: 1000. Debug ip nat: NAT: s=192.168.1.1->203.0.113.1, d=203.0.113.200 [0]. The external server shows no received packets. What is the root cause?

Question 42mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command to troubleshoot a NAT issue:

R1# debug ip nat detailed

NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [45] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [46] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [47] NAT*: s=192.168.1.1, d=10.2.2.2->10.1.1.1 [48] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [49]

What does this output indicate?

Question 43mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command to verify NAT translations:

R1# show ip nat translations verbose

Pro Inside global Inside local Outside local Outside global --- 10.2.2.2 10.1.1.1 192.168.1.1 192.168.1.1 create 00:00:15, use 00:00:05, flags: extended, timing-out

What does the 'extended' flag indicate?

Question 44hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command to troubleshoot PAT exhaustion:

R1# show ip nat statistics

Total active translations: 1024 (0 static, 1024 dynamic; 1024 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 50000 Misses: 10 CEF Translated packets: 45000, CEF Punted packets: 5000 Expired translations: 2000 Dynamic mappings: -- Inside Source

[Id: 1] access-list NAT permit ip 10.0.0.0 0.255.255.255 any

refcount 1024, pool MyPool pool MyPool: netmask 255.255.255.240 start 203.0.113.1 end 203.0.113.14 type generic, total addresses 14, allocated 14 (100%), misses 0

What is the most likely issue?

Question 45easymultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command to debug NAT with access lists:

R1# debug ip nat access-list 100

NAT: access list 100 matched ip 10.1.1.1 -> 192.168.1.1 NAT: access list 100 matched ip 10.1.1.2 -> 192.168.1.1 NAT: access list 100 matched ip 10.1.1.3 -> 192.168.1.1 NAT: access list 100 matched ip 10.1.1.4 -> 192.168.1.1

What does this output indicate?

Question 46mediummultiple choice
Read the full VRF explanation →

A network engineer runs the following command to verify NAT on a VRF:

R1# show ip nat translations vrf CUSTOMER

Pro Inside global Inside local Outside local Outside global --- 10.2.2.2 10.1.1.1 192.168.1.1 192.168.1.1

What is the purpose of the 'vrf CUSTOMER' parameter?

Question 47hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command to debug NAT with overload:

R1# debug ip nat overload

NAT: overload: s=10.1.1.1:1234->203.0.113.1:5678, d=192.168.1.1:80 [50] NAT: overload: s=10.1.1.1:1235->203.0.113.1:5679, d=192.168.1.1:80 [51] NAT: overload: s=10.1.1.2:80->203.0.113.1:5680, d=192.168.1.1:1024 [52]

What does this output indicate?

Question 48easymultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command to verify NAT after a fix:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 203.0.113.1 10.1.1.1 192.168.1.1 192.168.1.1 --- 203.0.113.2 10.1.1.2 192.168.1.2 192.168.1.2

What is the most likely configuration?

Question 49hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command to debug NAT with route maps:

R1# debug ip nat policy

NAT: policy: match ip address 100 NAT: policy: match ip address 100 NAT: policy: match ip address 100 NAT: policy: route-map RM-NAT permit 10 match ip address 100 set ip next-hop 10.0.0.1

What does this output indicate?

Question 50mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command to verify NAT on an interface:

R1# show ip nat interface GigabitEthernet0/1

GigabitEthernet0/1 is up, line protocol is up NAT: inside, active NAT: outside, active NAT: overload, active

What is the issue with this configuration?

Question 51mediummultiple choice
Read the full NAT/PAT explanation →

What is the default timeout value for a NAT translation entry that is not using Port Address Translation (PAT) in Cisco IOS?

Question 52easymultiple choice
Read the full NAT/PAT explanation →

Which statement accurately describes the behavior of the ip nat inside source static command when configuring static NAT for a single inside host?

Question 53hardmultiple choice
Read the full NAT/PAT explanation →

According to RFC 4787 (NAT Behavioral Requirements for UDP), what is the recommended default timeout for UDP NAT mappings?

Question 54mediummultiple choice
Read the full NAT/PAT explanation →

In Cisco IOS, what is the default timeout for TCP NAT translations when the TCP session is idle?

Question 55mediummultiple choice
Read the full NAT/PAT explanation →

Which of the following is true regarding the default behavior of NAT in Cisco IOS when handling ICMP traffic?

Question 56easymultiple choice
Read the full NAT/PAT explanation →

In the context of NAT and PAT, what is the purpose of the ip nat translation timeout command?

Question 57hardmultiple choice
Read the full NAT/PAT explanation →

Which of the following is a limitation of NAT as defined in RFC 2663?

Question 58hardmultiple choice
Read the full NAT/PAT explanation →

In Cisco IOS, what is the default behavior of the ip nat service command?

Question 59mediummultiple choice
Read the full NAT/PAT explanation →

What is the default maximum number of NAT translations that can be created in Cisco IOS?

Question 60mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to configure PAT (overload) for dynamic source NAT into the correct order, from first to last.

Question 61harddrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to troubleshoot NAT and PAT adjacency or connectivity failures into the correct order, from first to last.

Question 62mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to verify and validate NAT and PAT operational state into the correct order, from first to last.

Question 63hardmulti select
Study the full ACL explanation →

Which TWO statements correctly describe the behavior of NAT with route maps and ACLs when using the 'ip nat inside source route-map' feature? (Choose TWO.)

Question 64hardmulti select
Read the full VPN explanation →

An engineer must configure NAT so that inside hosts (192.168.1.0/24) are translated to a public IP pool (203.0.113.1-203.0.113.10) when accessing the Internet, but must NOT translate traffic destined to a VPN subnet (10.10.10.0/24) reachable via the same outside interface. Which TWO configuration steps are required? (Choose TWO.)

Question 65hardmulti select
Read the full NAT/PAT explanation →

Which TWO statements about the 'ip nat outside source' feature are true? (Choose TWO.)

Question 66hardmulti select
Read the full NAT/PAT explanation →

An engineer is troubleshooting a PAT overload configuration on a Cisco router. Inside hosts can access the Internet, but some applications (e.g., FTP, SIP) fail. Which TWO commands can be used to verify the NAT translations and identify the issue? (Choose TWO.)

Question 67hardmulti select
Read the full NAT/PAT explanation →

Which THREE statements about NAT and PAT behavior in Cisco IOS are true? (Choose THREE.)

Question 68hardmultiple choice
Review the full OSPF breakdown →

An engineer configures OSPF on two routers connected via a serial link. Both routers have 'ip ospf network point-to-point' configured, but the link is actually a Frame Relay multipoint subinterface. The OSPF neighbors remain stuck in EXSTART state. Which is the most likely explanation?

Question 69hardmultiple choice
Study the full EIGRP explanation →

An engineer configures EIGRP named mode on a router and uses an offset-list to increase the feasible distance (FD) of a specific route. Unexpectedly, the route is still installed in the routing table with the original metric. Which is the most likely explanation?

Question 70hardmultiple choice
Open the full BGP breakdown →

An engineer configures iBGP between two routers in the same AS. The BGP table shows the prefix, but it is not installed in the routing table. The next-hop is reachable via an IGP route. Which is the most likely explanation?

Question 71hardmultiple choice
Review the full OSPF breakdown →

An engineer configures mutual redistribution between OSPF and EIGRP on a router. After a few minutes, the router's CPU spikes and routes start flapping. Which is the most likely explanation?

Question 72hardmultiple choice
Read the full VPN explanation →

An engineer configures a DMVPN Phase 2 network. Spoke routers can communicate with the hub, but spoke-to-spoke traffic does not trigger a direct tunnel. Which is the most likely explanation?

Question 73hardmultiple choice
Read the full VPN explanation →

An engineer configures an IPsec site-to-site VPN between two routers. The tunnel comes up, but traffic is not encrypted. Which is the most likely explanation?

Question 74hardmultiple choice
Review the full OSPF breakdown →

An engineer configures Control Plane Policing (CoPP) on a router to protect the control plane. After applying the policy, OSPF neighbors go down. The CoPP policy has a class that matches OSPF traffic with a rate-limit of 100 pps. Which is the most likely explanation?

Question 75hardmultiple choice
Read the full NAT/PAT explanation →

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface connected to a network with asymmetric routing. Users report intermittent connectivity issues. Which is the most likely explanation?

Question 76hardmultiple choice
Read the full NAT/PAT explanation →

An engineer configures NAT overload (PAT) on a router to translate internal addresses to a single public IP. Users can browse the web, but some applications that use non-standard ports fail. Which is the most likely explanation?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

300-410 Practice Test 1 — 10 Questions→300-410 Practice Test 2 — 10 Questions→300-410 Practice Test 3 — 10 Questions→300-410 Practice Test 4 — 10 Questions→300-410 Practice Test 5 — 10 Questions→300-410 Practice Exam 1 — 20 Questions→300-410 Practice Exam 2 — 20 Questions→300-410 Practice Exam 3 — 20 Questions→300-410 Practice Exam 4 — 20 Questions→Free 300-410 Practice Test 1 — 30 Questions→Free 300-410 Practice Test 2 — 30 Questions→Free 300-410 Practice Test 3 — 30 Questions→300-410 Practice Questions 1 — 50 Questions→300-410 Practice Questions 2 — 50 Questions→300-410 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Layer 3 TechnologiesEIGRP TroubleshootingOSPF Troubleshooting (v2/v3)BGP TroubleshootingRoute RedistributionPolicy-Based Routing (PBR)VRF-LiteRoute Maps and Route FilteringAdministrative DistanceRoute SummarizationBidirectional Forwarding Detection (BFD)VPN TechnologiesMPLS OperationsMPLS L3VPNDMVPNIPsec Site-to-Site VPNIPv6 Tunneling TechniquesInfrastructure SecurityDevice Access ControlIPv4 Access Control ListsIPv6 Traffic Filtering and uRPFControl Plane Policing (CoPP)IPv6 First Hop SecurityInfrastructure ServicesDevice ManagementSNMP TroubleshootingNetwork Logging and SyslogEmbedded Event Manager (EEM)IP SLANetFlow and Flexible NetFlowSPAN, RSPAN, and ERSPANDHCP (IPv4 and IPv6)NAT and PAT

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All NAT and PAT setsAll NAT and PAT questions300-410 Practice Hub