Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
Exhibit
access-list 1 permit 10.10.20.0 0.0.0.255 ip nat inside source list 1 interface GigabitEthernet0/0 overload interface GigabitEthernet0/0 ip address 198.51.100.2 255.255.255.252 ip nat outside interface GigabitEthernet0/1 ip address 10.10.10.1 255.255.255.0 ip nat inside Users are in 10.10.10.0/24.
A branch router is configured for NAT overload, but inside hosts still reach the ISP with their private source addresses. Based on the exhibit, what is the most likely reason?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
The ACL used for NAT does not match the inside client subnet.
The overload statement references ACL 1, but ACL 1 permits 10.10.20.0/24 instead of 10.10.10.0/24.
B
Distractor review
GigabitEthernet0/0 should be configured as ip nat inside.
The ISP-facing interface is correctly marked outside.
C
Distractor review
PAT cannot use an interface address as the translated source.
That is exactly how NAT overload commonly works.
D
Distractor review
The router must run OSPF before NAT overload can function.
NAT does not require OSPF.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is assuming that NAT overload requires routing protocols such as OSPF to function or that the outside interface cannot be used as the source address for translation. Some candidates also mistakenly believe that misconfigured interface NAT designations cause the problem when the real issue is the ACL mismatch. The trap lies in overlooking the ACL's role in defining which inside addresses are translated. If the ACL does not include the correct inside subnet, NAT will not translate those packets, causing inside hosts to leak private IPs to the ISP. This subtle misconfiguration is often missed under exam pressure.
Technical deep dive
How to think about this question
Network Address Translation (NAT) overload, also known as Port Address Translation (PAT), allows multiple inside hosts to share a single public IP address by translating their private source IP addresses and port numbers to the router's outside interface IP. The translation is controlled by an access control list (ACL) that specifies which inside local IP addresses are eligible for translation. The router uses the ACL to match packets originating from the inside network and applies NAT to those packets as they exit the outside interface. The key to successful NAT overload is that the ACL must exactly match the inside subnet of the hosts whose traffic needs translation. If the ACL permits a different subnet than the actual inside hosts, the router will not translate those packets because they do not meet the ACL criteria. The interfaces must also be correctly designated with ip nat inside and ip nat outside commands to define the NAT direction. The router then translates the source IP addresses of matching packets to the outside interface's IP address, allowing multiple hosts to share one public IP. A common exam trap is misinterpreting the cause of NAT failure. Candidates might incorrectly assume that the interface configuration or routing protocols like OSPF affect NAT operation. However, NAT translation depends solely on the ACL match and interface NAT designations. If the ACL references the wrong subnet, inside hosts will send packets with private IPs that are not translated, causing connectivity issues to the ISP. Understanding this behavior helps avoid misdiagnosing NAT problems and ensures correct NAT overload implementation in Cisco environments.
KKey Concepts to Remember
- NAT overload uses an access control list (ACL) to identify which inside local IP addresses should be translated to the outside global IP address.
- The ACL used in a NAT overload configuration must precisely match the inside subnet of the hosts to ensure their traffic is translated correctly.
- Cisco routers require interfaces to be explicitly designated as ip nat inside or ip nat outside to determine the direction of NAT translation.
- NAT overload (PAT) commonly uses the IP address of the outside interface as the translated source address for multiple inside hosts.
- Routing protocols like OSPF are unrelated to NAT operation and do not affect NAT overload functionality.
- If the ACL does not match the inside subnet, the router will not translate the source IP addresses, causing inside hosts to appear with private IPs externally.
- The NAT translation process depends on matching traffic against the ACL or route map specified in the ip nat inside source command.
- Misconfiguration of the ACL is a frequent cause of NAT overload failure, especially when the permitted subnet does not correspond to the actual inside hosts.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
NAT overload uses an access control list (ACL) to identify which inside local IP addresses should be translated to the outside global IP address.
What is the correct answer to this question?
The correct answer is: The ACL used for NAT does not match the inside client subnet. — The ACL matches the wrong inside subnet. NAT overload will only translate traffic that matches the source list or route map tied to the NAT statement. The interfaces are marked inside and outside correctly, so the bad match criteria is the most likely failure point.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.