Question 550 of 1,819
Network Services and SecurityhardTroubleshootingObjective-mapped

Quick Answer

The answer is to change GigabitEthernet0/1 to 'ip nat outside', add the 'overload' keyword to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255. These three fixes resolve the misconfigured NAT by ensuring the outside interface is correctly designated, enabling port address translation for the LAN, and matching the ACL to the actual inside subnet. On the CCNA 200-301 v2 exam, this scenario tests your ability to configure static NAT and PAT (overload) on Cisco IOS-XE with troubleshooting, a common lab simulation where a single misstep—like an inverted interface or missing keyword—breaks both translations. The trap here is confusing inside and outside interfaces or forgetting that PAT requires 'overload' to share one public IP across multiple hosts. Remember the mnemonic: "Inside hosts need Outside interface, Overload for PAT, and ACLs must match your LAN."

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Network Topology
G0/0192.168.1.1/24G0/1203.0.113.1/30Internal hostsLANR1InternetISP

You are connected to R1. Configure static NAT for a public web server (198.51.100.10 to 192.168.1.10) and PAT for the 192.168.1.0/24 LAN to use interface GigabitEthernet0/1 with overload. The current configuration has misconfigured NAT that prevents both types from working. Identify and fix the issues so that internal hosts can access the internet and external hosts can reach the internal web server.

Question 1hardTroubleshooting
Read the full NAT/PAT explanation →

Exhibit

R1# show running-config | section ip nat
ip nat inside source list 1 interface GigabitEthernet0/1
ip nat inside source static tcp 192.168.1.10 80 198.51.100.10 80 extendable
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.252
 ip nat inside
!
access-list 1 permit 192.168.2.0 0.0.0.255

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.

Three issues exist: (1) GigabitEthernet0/1 is the outside interface but is configured as 'ip nat inside' — it should be 'ip nat outside'. (2) The PAT command lacks the 'overload' keyword, so it does one-to-one translation instead of port address translation. (3) ACL 1 permits 192.168.2.0/24, but the inside LAN is 192.168.1.0/24 — the ACL must match the correct subnet. Correcting these allows PAT for the LAN and static NAT for the web server.

Key principle: Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.

    Why this is correct

    This corrects all three issues: the outside interface must be 'ip nat outside', PAT requires the 'overload' keyword for port translation, and ACL 1 must match the inside LAN subnet 192.168.1.0/24.

    Related concept

    CIDR notation defines the prefix length.

  • Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and change ACL 1 to permit 192.168.2.0 0.0.0.255.

    Why it's wrong here

    This is incorrect because ACL 1 still permits the wrong subnet (192.168.2.0/24) instead of the actual inside LAN (192.168.1.0/24).

  • Change interface GigabitEthernet0/1 to 'ip nat inside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.

    Why it's wrong here

    This is incorrect because GigabitEthernet0/1 is the outside interface (connected to the public network) and must be configured as 'ip nat outside', not 'ip nat inside'.

  • Change interface GigabitEthernet0/1 to 'ip nat outside', remove the 'overload' keyword from the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.

    Why it's wrong here

    This is incorrect because removing 'overload' makes the PAT command perform one-to-one translation instead of port address translation, which would exhaust public IP addresses.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.Correct answer

Why this is correct

This corrects all three issues: the outside interface must be 'ip nat outside', PAT requires the 'overload' keyword for port translation, and ACL 1 must match the inside LAN subnet 192.168.1.0/24.

Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and change ACL 1 to permit 192.168.2.0 0.0.0.255.Wrong answer — click to see why

Why this is wrong here

The ACL must match the inside network; permitting a different subnet will not translate traffic from the correct LAN.

Why candidates choose this

Candidates may misread the LAN subnet or think the ACL is correct as given.

Change interface GigabitEthernet0/1 to 'ip nat inside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.Wrong answer — click to see why

Why this is wrong here

The NAT inside/outside designation is based on the direction of traffic; the interface facing the public network must be outside.

Why candidates choose this

Candidates often confuse inside and outside interfaces, especially when both static NAT and PAT are used.

Change interface GigabitEthernet0/1 to 'ip nat outside', remove the 'overload' keyword from the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255.Wrong answer — click to see why

Why this is wrong here

Without 'overload', the router will not use port numbers to multiplex multiple inside hosts to a single public IP.

Why candidates choose this

Candidates may think 'overload' is optional or misunderstand its purpose in conserving IP addresses.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Trap categories for this question

  • Command / output trap

    This is incorrect because removing 'overload' makes the PAT command perform one-to-one translation instead of port address translation, which would exhaust public IP addresses.

Detailed technical explanation

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Key takeaway

Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related 200-301 subnetting questions on CIDR, address ranges, and subnet selection.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — CIDR notation defines the prefix length..

What is the correct answer to this question?

The correct answer is: Change interface GigabitEthernet0/1 to 'ip nat outside', add 'overload' to the PAT command, and correct ACL 1 to permit 192.168.1.0 0.0.0.255. — Three issues exist: (1) GigabitEthernet0/1 is the outside interface but is configured as 'ip nat inside' — it should be 'ip nat outside'. (2) The PAT command lacks the 'overload' keyword, so it does one-to-one translation instead of port address translation. (3) ACL 1 permits 192.168.2.0/24, but the inside LAN is 192.168.1.0/24 — the ACL must match the correct subnet. Correcting these allows PAT for the LAN and static NAT for the web server.

What should I do if I get this 200-301 question wrong?

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related 200-301 subnetting questions on CIDR, address ranges, and subnet selection.

What is the key concept behind this question?

CIDR notation defines the prefix length.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

5 more ways this is tested on 200-301

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Which THREE statements correctly describe the configuration and verification of NAT, PAT, and static NAT?

medium
  • A.To configure static NAT, use the command 'ip nat inside source static <inside-local> <inside-global>'.
  • B.PAT uses the command 'ip nat inside source list <acl> interface <interface> overload' to translate multiple inside addresses to the interface's IP using different port numbers.
  • C.The command 'show ip nat statistics' displays the current active translations including inside and outside addresses.
  • D.When configuring dynamic NAT, you must define a NAT pool using the command 'ip nat pool <name> <start-ip> <end-ip> netmask <mask>' and then use an ACL to match inside traffic.
  • E.To verify that static NAT is working, you should check the output of 'show ip interface brief' and look for the translated IP.

Why A: Option A is correct because the 'ip nat inside source static' command creates a one-to-one permanent NAT mapping. Option B is correct because PAT is configured by adding the 'overload' keyword to a dynamic NAT statement that references an ACL and an interface, allowing many private addresses to share a single public IP with different port numbers. Option D is correct: dynamic NAT requires a NAT pool defined with 'ip nat pool' and an access list to identify the inside traffic to be translated. Option C is incorrect because 'show ip nat statistics' only displays counters and summary information, not the active translation entries; those are shown with 'show ip nat translations'. Option E is incorrect because 'show ip interface brief' does not show NAT translation mappings; verification of static NAT requires 'show ip nat translations'.

Variation 2. You are connected to R1. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 inside network can reach the Internet through the outside interface GigabitEthernet0/1 using the IP address 203.0.113.1. Additionally, configure static NAT to map internal server 192.168.1.10 to public IP 203.0.113.5. The current configuration has several errors. Identify and correct them.

hard
  • A.Correct the NAT interface directions: G0/0 as inside, G0/1 as outside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
  • B.Change the NAT interface directions: G0/0 as outside, G0/1 as inside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.
  • C.Correct the NAT interface directions: G0/0 as inside, G0/1 as outside. Add 'overload' to the PAT command. Keep ACL 100 as is because it already permits the correct subnet.
  • D.Change the NAT interface directions: G0/0 as outside, G0/1 as inside. Add 'overload' to the PAT command. Change ACL 100 to permit 192.168.1.0 0.0.0.255.

Why A: The configuration had three issues: (1) Inside and outside interfaces were swapped — G0/0 (inside) was marked 'ip nat outside' and G0/1 (outside) was 'ip nat inside'. (2) The PAT command was missing the 'overload' keyword. (3) ACL 100 matched the wrong subnet (192.168.2.0 instead of 192.168.1.0). To fix: correct interface NAT directions, add 'overload', and update ACL to permit 192.168.1.0/24.

Variation 3. You are connected to R1 in a small office network. Configure PAT (NAT overload) so that hosts on the 192.168.1.0/24 LAN can access the Internet via the public IP 203.0.113.1 (the IP assigned to interface G0/0). Also configure a static NAT for the internal web server at 192.168.1.10 to the public IP 203.0.113.6. The current configuration has errors: the inside/outside interface assignments are swapped, the ACL for PAT does not match the inside subnet, and the PAT rule points to the wrong ACL. Fix all issues so that both PAT and static NAT work correctly.

hard
  • A.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
  • B.Configure G0/0 as inside, G0/1 as outside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 1 interface G0/1 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
  • C.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.2.0 0.0.0.255; apply ip nat inside source list 1 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6
  • D.Configure G0/0 as outside, G0/1 as inside; modify ACL 1 to permit 192.168.1.0 0.0.0.255; apply ip nat inside source list 2 interface G0/0 overload; keep ip nat inside source static 192.168.1.10 203.0.113.6

Why A: The main issues: (1) Interfaces were swapped — G0/0 (public) was inside and G0/1 (private) was outside. They should be reversed: G0/0 outside, G0/1 inside. (2) ACL 1 (used in the PAT command) permitted 192.168.2.0/24 instead of 192.168.1.0/24. (3) The PAT command for G0/0 used ACL 2, which was correct for the subnet but the interface was wrong. After fixing interface assignments and correcting ACL 1 to permit the inside subnet, the PAT command must use ACL 1 and the correct outside interface. The static NAT was correctly configured but needed the correct inside interface. The PAT translation uses the IP address of the outside interface (interface overload), so after fixing the configuration, inside hosts will be translated to 203.0.113.1, the primary IP of G0/0, not 203.0.113.5.

Variation 4. Drag and drop the following steps into the correct order to configure PAT (overload) on a Cisco router using a single public IP address on the outside interface.

medium
  • A.Enter global configuration mode
  • B.Create an access list to match the traffic to be translated
  • C.Configure the inside interface with 'ip nat inside'
  • D.Configure the outside interface with 'ip nat outside'

Why A: The correct sequence is: first enter global configuration mode, then define the access list that matches inside traffic. Next, mark the inside and outside interfaces with `ip nat inside` and `ip nat outside` respectively. Finally, enable PAT with overload using `ip nat inside source list <acl> interface <outside-if> overload`. This order ensures the router knows which interfaces are internal and external, which traffic to translate, and how to perform the translation.

Variation 5. Drag and drop the following steps into the correct order to configure PAT (Port Address Translation) on a Cisco IOS-XE router and describe the translation process for an outbound packet.

medium
  • A.Enter global configuration mode, mark inside and outside interfaces, create a pool of global addresses, then enable PAT with overload.
  • B.Create a pool of global addresses, mark inside and outside interfaces, enter global configuration mode, then enable PAT with overload.
  • C.Mark inside and outside interfaces, enter global configuration mode, enable PAT with overload, then create a pool of global addresses.
  • D.Enter global configuration mode, enable PAT with overload, create a pool of global addresses, then mark inside and outside interfaces.

Why A: First, enter config mode. Then mark the inside and outside interfaces. Create a pool of global addresses. Finally, enable PAT with overload to allow multiple inside hosts to share the pool addresses.

Keep practising

More 200-301 practice questions

Last reviewed: Jun 6, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.