Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications350-401ScenariosNAT and PAT Configuration Scenarios
Scenario PracticeCisco · 350-401

350-401 NAT and PAT Configuration Scenarios

NAT and PAT questions cover static NAT (one-to-one), dynamic NAT (pool-based), and PAT/overload (many-to-one using port numbers). The CCNA asks you to read NAT table output, fix misconfigured NAT, and match the right NAT type to a scenario.

Start Scenario Practice

Other Scenarios

Refer to the ExhibitSW1 and SW2 VLAN TrunkingRouter R1 Cannot Reach R3Show IP Route OutputWhich Command Should the Administrator UseDrag and Drop Ordering QuestionsDrag and Drop Matching QuestionsSelect Two (Multi-Select) QuestionsPerformance-Based Questions (PBQs)Hard Difficulty QuestionsTroubleshooting Scenario QuestionsShow Command Output QuestionsOSPF Troubleshooting ScenariosVLAN and Inter-VLAN Routing ScenariosSpanning Tree Protocol ScenariosAccess Control List (ACL) ScenariosDHCP Troubleshooting ScenariosEtherChannel and LACP ScenariosWireless LAN and WLC ScenariosIPv6 Configuration Scenarios

Study Tools

Practice TestTopic PracticeMock Exam

Common Traps on NAT and PAT Configuration Scenarios

  • ·Forgetting 'ip nat inside' and 'ip nat outside' on the correct interfaces — NAT won't translate without these.
  • ·Using the wrong ACL in the NAT statement — the ACL must match the inside local address range.
  • ·Confusing inside local (private LAN IP), inside global (public IP seen externally), and outside global (destination).
  • ·Expecting NAT to work without a default route to forward translated packets to the internet.

Sample Questions

Practice all 15 →
1.

Drag and drop the steps of VRF-aware NAT configuration for path isolation into the correct order, from first to last.

A.Create VRF and assign route distinguisher
B.Configure NAT inside/outside interfaces under VRF
C.Define NAT pool and access list
D.Apply NAT rules with 'ip nat inside source'

Explanation: First, you create the VRF and assign an RD. Then, you configure the NAT inside and outside interfaces under the VRF. Next, you define the NAT pool and access list for translation. After that, you apply the NAT rules with 'ip nat inside source' referencing the VRF. Finally, you verify NAT translations using 'show ip nat translations vrf'.

2.

A network engineer issues the following command on Router R6: R6# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.168.1.100 10.0.0.10 --- --- --- 192.168.1.101 10.0.0.11 --- --- udp 192.168.1.100:1234 10.0.0.10:1234 203.0.113.5:53 203.0.113.5:53 tcp 192.168.1.101:80 10.0.0.11:80 198.51.100.2:443 198.51.100.2:443 Based on this output, what is true about the NAT translations?

A.All translations are static NAT entries.
B.The translation for 10.0.0.10 to 192.168.1.100 is a dynamic NAT without PAT.
C.The router is performing only PAT (overload).
D.The outside global address is the same for all translations.

Explanation: The output shows dynamic NAT translations with inside local and inside global addresses. The presence of protocol-specific translations (udp, tcp) indicates PAT (NAT overload) is in use for some traffic.

3.

interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ! access-list 1 permit 192.168.1.0 0.0.0.255 ! ip nat inside source list 1 interface GigabitEthernet0/0 overload What is the effect of this configuration?

A.All traffic from 192.168.1.0/24 will be translated to the IP address of GigabitEthernet0/0 using PAT.
B.Only one host from 192.168.1.0/24 can access the internet at a time.
C.Traffic from the outside interface will be translated to 192.168.1.0/24.
D.The configuration will fail because the access list must be applied to an interface.

Explanation: This is a standard NAT overload (PAT) configuration. The inside network 192.168.1.0/24 is translated to the IP address of the outside interface (GigabitEthernet0/0) using port address translation. All inside hosts share the outside interface IP address.

4.

A network engineer is configuring a Cisco router to provide internet access to a small office using a single public IP address assigned by the ISP. The engineer wants to allow internal hosts to initiate connections to the internet, but also needs to make a web server on the internal network reachable from the internet. The engineer configures a standard access list for NAT and an ip nat inside source list command. However, external users cannot reach the internal web server. What is the most likely cause?

A.The access list used for NAT does not permit the web server's IP address.
B.The engineer forgot to add the ip nat inside source static command for the web server.
C.The ip nat inside and ip nat outside commands are applied on the wrong interfaces.
D.The global configuration mode is missing the ip nat pool command.

Explanation: The scenario requires both dynamic NAT (for outbound traffic) and static NAT (for inbound access to the web server). Using only a dynamic NAT configuration with an access list will not provide a permanent mapping for the web server.

5.

A network engineer is troubleshooting a NAT issue where an internal host cannot establish an SSH session to a remote server on the internet. The engineer checks the NAT translations on the border router and sees that the translation for the host's source IP is present. However, the SSH session times out. The engineer also notices that the remote server's IP is not in the NAT translation table. What is the most likely cause?

A.The router is performing NAT only for the source IP, but the return traffic is taking a different path that does not go through the NAT router.
B.The SSH server is blocking connections from the public IP address.
C.The NAT overload is causing port conflicts for SSH.
D.The access list used for NAT is denying the SSH traffic.

Explanation: For a successful NAT session, both the outbound and inbound translations must be present. If only the outbound translation exists, the return traffic is not being translated back correctly, possibly due to asymmetric routing or a missing route.

+10 more scenario questions available

Practice all NAT and PAT Configuration Scenarios

Related Topics

static natdynamic natpat overload

Frequently asked questions

How do "NAT and PAT Configuration Scenarios" appear on the real 350-401?

NAT and PAT questions cover static NAT (one-to-one), dynamic NAT (pool-based), and PAT/overload (many-to-one using port numbers). The CCNA asks you to read NAT table output, fix misconfigured NAT, and match the right NAT type to a scenario. These appear throughout the 350-401 and require you to apply your knowledge, not just recall facts.

How many scenario questions are on the 350-401 exam?

Cisco doesn't publish an exact breakdown, but scenario-based questions (especially exhibit and command-output formats) make up a significant portion of the 350-401. Practicing each scenario type ensures you're ready for any format.

Are these 350-401 scenario practice questions free?

Yes. Courseiva provides free 350-401 scenario practice across all official exam domains. The platform includes scenario-based questions, command-output interpretation, topic-based practice, mock exams, and readiness tracking — no account required.

Ready to practice this scenario type?

Launch a full NAT and PAT Configuration Scenarios session with instant scoring and detailed explanations.

Start Scenario Practice →

Scenario Info

Type

Scenario Practice

Exam

350-401

Questions

15+