Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
A branch office uses PAT for user Internet access. The administrator notices that inside users can browse out, but an internal server still cannot be reached consistently from outside. Which change is most appropriate?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
Add a static NAT mapping for the server while leaving PAT in place for user traffic.
This is correct because static NAT provides the server with a stable public identity.
B
Distractor review
Replace PAT with DHCP relay.
This is wrong because DHCP relay is unrelated to public server reachability.
C
Distractor review
Disable NAT entirely because PAT is preventing inbound routing.
This is wrong because private IPv4 addresses still need translation for Internet reachability.
D
Distractor review
Put the server in the native VLAN.
This is wrong because native VLAN configuration does not publish a server to the Internet.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is to confuse the role of PAT and static NAT, leading to the incorrect assumption that disabling NAT or changing VLANs will fix inbound server reachability. Disabling NAT entirely stops all address translation, breaking Internet access for all internal hosts. Changing VLANs, such as moving a server to the native VLAN, does not affect NAT or public accessibility. Another trap is to replace PAT with unrelated features like DHCP relay, which does not influence NAT or inbound connections. Understanding that static NAT is required for stable inbound access while PAT supports outbound user traffic avoids these mistakes.
Technical deep dive
How to think about this question
Network Address Translation (NAT) is a fundamental IP service in Cisco networking that modifies IP address information in packet headers while in transit. PAT, a type of NAT, enables multiple internal devices to access the Internet using a single public IP address by tracking sessions with unique port numbers. This approach efficiently conserves public IP addresses and supports outbound connections from many users simultaneously. However, PAT inherently complicates inbound connections because the router cannot predict which internal device should receive unsolicited inbound traffic on a shared public IP. For internal servers that must be reachable from outside, static NAT is required. Static NAT assigns a fixed public IP address to the server’s private IP, ensuring consistent inbound reachability. Cisco routers support both static NAT and PAT simultaneously, allowing user traffic to use PAT while servers use static NAT mappings. A common exam trap is to assume that disabling NAT or changing VLAN assignments will solve inbound reachability issues. Disabling NAT breaks all Internet connectivity for private addresses, and VLAN changes do not influence NAT behavior. The practical solution is to configure static NAT for the server to provide a stable public identity, while continuing to use PAT for general user Internet access. This distinction is critical for CCNA candidates to understand NAT design and troubleshooting.
KKey Concepts to Remember
- Network Address Translation (NAT) translates private IP addresses to public IP addresses to enable Internet communication for internal devices.
- Port Address Translation (PAT) allows multiple internal hosts to share a single public IP address by differentiating sessions using port numbers.
- Static NAT creates a fixed one-to-one mapping between an internal private IP address and a public IP address, enabling consistent inbound access.
- PAT is suitable for outbound Internet access from multiple users but does not provide stable inbound access to internal servers.
- A static NAT mapping is necessary for internal servers that must be reachable consistently from outside the network.
- Static NAT and PAT can coexist on the same router to support both outbound user traffic and inbound server accessibility.
- Disabling NAT entirely would prevent private IP addresses from being translated, breaking Internet connectivity for internal hosts.
- Changing VLAN configurations, such as placing a server in the native VLAN, does not affect NAT behavior or public accessibility.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
Network Address Translation (NAT) translates private IP addresses to public IP addresses to enable Internet communication for internal devices.
What is the correct answer to this question?
The correct answer is: Add a static NAT mapping for the server while leaving PAT in place for user traffic. — The most appropriate change is to add a static NAT mapping for the internal server while keeping PAT for ordinary user traffic. In practical terms, PAT solves the many-users-outbound problem by allowing shared use of a public address. But an inbound-published server needs a stable, predictable public identity. That requirement is different from the requirement for user browsing. This is a common NAT design distinction. PAT and static NAT can coexist because they solve different problems. The best answer is the one that preserves PAT for users while giving the server a fixed public translation.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.