Question 984 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the inside and outside NAT interface roles are reversed. PAT fails because the router applies Network Address Translation logic based on which interface is designated as inside (typically the private LAN) and which is outside (the public WAN). When these roles are swapped, the router attempts to translate traffic in the wrong direction, so private source addresses are not translated to the public IP as they exit, and return traffic cannot be correctly mapped back. This is a classic CCNA 200-301 v2 troubleshooting scenario that tests your ability to spot a single misconfiguration in an otherwise correct setup—a common trap where candidates focus on ACLs or pool exhaustion instead. The key memory tip is to remember the direction of traffic: inside is where your private hosts live, outside is where the internet lives; if PAT is failing, always verify which interface has the ip nat inside and ip nat outside commands applied.

CCNA NAT interface roles (inside vs outside) Practice Question

This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: nAT interface roles (inside vs outside). Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.10 255.255.255.252
 ip nat inside
!
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload

Based on the exhibit, what is the most likely reason PAT is not working correctly?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Exhibit

interface GigabitEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 203.0.113.10 255.255.255.252
 ip nat inside
!
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The inside and outside NAT interface roles are reversed.

PAT is not working correctly because the inside and outside NAT roles are reversed on the interfaces. In practical terms, the private LAN-facing interface should be marked as inside, and the public-facing WAN interface should be marked as outside. In the exhibit, the router has those roles backwards, so translation logic is applied in the wrong direction. This is a very realistic NAT troubleshooting item because the configuration is close to correct and the failure comes from one directional mistake.

Key principle: NAT interface roles (inside vs outside)

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The inside and outside NAT interface roles are reversed.

    Why this is correct

    This is correct because the private interface should be inside and the public interface should be outside.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    NAT interface roles (inside vs outside)

  • PAT requires OSPF to be enabled on the WAN link.

    Why it's wrong here

    This is wrong because PAT does not depend on OSPF.

    When this WOULD be correct

    In a different scenario where the question specifies that PAT is being implemented in a network that relies on OSPF for routing updates, and the exam asks about the necessity of OSPF for proper NAT functionality, this option could be correct if the question indicates that OSPF misconfigurations are impacting NAT operations.

  • The ACL must be numbered 100 instead of 1.

    Why it's wrong here

    This is wrong because a standard ACL such as 1 is valid for this NAT rule.

    When this WOULD be correct

    In a different scenario, if the question specifically states that the router is using a legacy configuration where only numbered ACLs are supported, and that ACL 100 is explicitly required for NAT rules, then this option would be correct.

  • The router must use GRE before PAT can overload.

    Why it's wrong here

    This is wrong because PAT does not require GRE tunneling.

    When this WOULD be correct

    In a different scenario where the question specifies that the network is using GRE tunnels for remote site connectivity, and the configuration requires PAT to be applied to traffic traversing these tunnels, then this option could be correct. For example, if the question states that PAT is not functioning due to the absence of GRE encapsulation on the WAN link, this would validate the option.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

The inside and outside NAT interface roles are reversed.Correct answer

Why this is correct

This is correct because the private interface should be inside and the public interface should be outside.

PAT requires OSPF to be enabled on the WAN link.Wrong answer — click to see why

Why this is wrong here

PAT (Port Address Translation) operates at Layer 3/4 and does not require any dynamic routing protocol like OSPF to function. OSPF is used for route exchange, not for NAT operations.

★ When this WOULD be the correct answer

In a different scenario where the question specifies that PAT is being implemented in a network that relies on OSPF for routing updates, and the exam asks about the necessity of OSPF for proper NAT functionality, this option could be correct if the question indicates that OSPF misconfigurations are impacting NAT operations.

Why candidates choose this

Students may think that because the WAN link often runs OSPF for routing, PAT might depend on it, but PAT works independently of the routing protocol used.

The ACL must be numbered 100 instead of 1.Wrong answer — click to see why

Why this is wrong here

Standard ACLs (numbered 1-99 or 1300-1999) can be used in NAT to identify traffic for translation; they match only source IP addresses. Extended ACLs (100-199) are not required for basic PAT configuration.

★ When this WOULD be the correct answer

In a different scenario, if the question specifically states that the router is using a legacy configuration where only numbered ACLs are supported, and that ACL 100 is explicitly required for NAT rules, then this option would be correct.

Why candidates choose this

Some students confuse the ACL numbering with the requirement for extended ACLs in NAT, but standard ACLs are sufficient when only source IP matching is needed.

The router must use GRE before PAT can overload.Wrong answer — click to see why

Why this is wrong here

GRE (Generic Routing Encapsulation) is a tunneling protocol used to encapsulate packets for VPNs or routing over non-IP networks. PAT does not require any tunneling; it translates private IP addresses to a public IP using port numbers.

★ When this WOULD be the correct answer

In a different scenario where the question specifies that the network is using GRE tunnels for remote site connectivity, and the configuration requires PAT to be applied to traffic traversing these tunnels, then this option could be correct. For example, if the question states that PAT is not functioning due to the absence of GRE encapsulation on the WAN link, this would validate the option.

Why candidates choose this

Students might associate GRE with NAT because both are used in VPN scenarios, but PAT functions independently and does not rely on GRE.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A common exam trap is confusing the NAT inside and outside interface roles. Candidates might overlook that reversing these roles causes PAT to fail silently, as translation direction depends on correct interface designation. Misunderstanding this can lead to incorrect troubleshooting steps, such as focusing on routing protocols or ACL numbering, which do not impact PAT functionality directly.

Detailed technical explanation

How to think about this question

Port Address Translation (PAT) relies heavily on correct NAT interface role assignments to function properly. The 'ip nat inside' command marks interfaces connected to the private network, while 'ip nat outside' marks those connected to the public network. When these roles are reversed, the router attempts to translate traffic in the wrong direction, causing PAT to fail. This misconfiguration prevents the router from correctly mapping private IP addresses and ports to the public IP address and ports. Unlike routing protocols such as OSPF or GRE tunneling, PAT does not depend on these technologies for operation. Additionally, the ACL used to identify traffic for NAT translation can be either standard or extended and does not require a specific number like 100; any valid ACL number is acceptable. Understanding the directional nature of NAT and the importance of interface roles is critical for troubleshooting NAT-related issues on Cisco devices.

KKey Concepts to Remember

  • NAT interface roles (inside vs outside)
  • Port Address Translation (PAT) functionality
  • Access Control Lists (ACL) in NAT

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

NAT interface roles (inside vs outside)

Real-world example

How this comes up in practice

A network engineer at a university connects two campus buildings via a fibre link. Both routers run OSPF, but no adjacency forms — even though both routers can ping each other. The engineer finds one router is in area 0 and the other in area 1. OSPF adjacency requires matching area numbers, hello/dead timers, and network type. IP reachability alone is not enough.

What to study next

Got this wrong? Here's your next step.

Review nAT interface roles (inside vs outside), then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — NAT interface roles (inside vs outside).

What is the correct answer to this question?

The correct answer is: The inside and outside NAT interface roles are reversed. — PAT is not working correctly because the inside and outside NAT roles are reversed on the interfaces. In practical terms, the private LAN-facing interface should be marked as inside, and the public-facing WAN interface should be marked as outside. In the exhibit, the router has those roles backwards, so translation logic is applied in the wrong direction. This is a very realistic NAT troubleshooting item because the configuration is close to correct and the failure comes from one directional mistake.

What should I do if I get this 200-301 question wrong?

Review nAT interface roles (inside vs outside), then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

NAT interface roles (inside vs outside)

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.