The answer is that the inside and outside NAT interface roles are reversed. PAT fails because the router applies Network Address Translation logic based on which interface is designated as inside (typically the private LAN) and which is outside (the public WAN). When these roles are swapped, the router attempts to translate traffic in the wrong direction, so private source addresses are not translated to the public IP as they exit, and return traffic cannot be correctly mapped back. This is a classic CCNA 200-301 v2 troubleshooting scenario that tests your ability to spot a single misconfiguration in an otherwise correct setup—a common trap where candidates focus on ACLs or pool exhaustion instead. The key memory tip is to remember the direction of traffic: inside is where your private hosts live, outside is where the internet lives; if PAT is failing, always verify which interface has the ip nat inside and ip nat outside commands applied.
CCNA NAT interface roles (inside vs outside) Practice Question
This 200-301 practice question tests your understanding of network services and security. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. A key principle to apply: nAT interface roles (inside vs outside). Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat outside
!
interface GigabitEthernet0/1
ip address 203.0.113.10 255.255.255.252
ip nat inside
!
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload
Based on the exhibit, what is the most likely reason PAT is not working correctly?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The inside and outside NAT interface roles are reversed.
PAT is not working correctly because the inside and outside NAT roles are reversed on the interfaces. In practical terms, the private LAN-facing interface should be marked as inside, and the public-facing WAN interface should be marked as outside. In the exhibit, the router has those roles backwards, so translation logic is applied in the wrong direction.
This is a very realistic NAT troubleshooting item because the configuration is close to correct and the failure comes from one directional mistake.
Key principle: NAT interface roles (inside vs outside)
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
The inside and outside NAT interface roles are reversed.
Why this is correct
This is correct because the private interface should be inside and the public interface should be outside.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
This is wrong because PAT does not depend on OSPF.
When this WOULD be correct
In a different scenario where the question specifies that PAT is being implemented in a network that relies on OSPF for routing updates, and the exam asks about the necessity of OSPF for proper NAT functionality, this option could be correct if the question indicates that OSPF misconfigurations are impacting NAT operations.
✗
The ACL must be numbered 100 instead of 1.
Why it's wrong here
This is wrong because a standard ACL such as 1 is valid for this NAT rule.
When this WOULD be correct
In a different scenario, if the question specifically states that the router is using a legacy configuration where only numbered ACLs are supported, and that ACL 100 is explicitly required for NAT rules, then this option would be correct.
✗
The router must use GRE before PAT can overload.
Why it's wrong here
This is wrong because PAT does not require GRE tunneling.
When this WOULD be correct
In a different scenario where the question specifies that the network is using GRE tunnels for remote site connectivity, and the configuration requires PAT to be applied to traffic traversing these tunnels, then this option could be correct. For example, if the question states that PAT is not functioning due to the absence of GRE encapsulation on the WAN link, this would validate the option.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.
✓The inside and outside NAT interface roles are reversed.Correct answer▾
Why this is correct
This is correct because the private interface should be inside and the public interface should be outside.
✗PAT requires OSPF to be enabled on the WAN link.Wrong answer — click to see why▾
Why this is wrong here
PAT (Port Address Translation) operates at Layer 3/4 and does not require any dynamic routing protocol like OSPF to function. OSPF is used for route exchange, not for NAT operations.
★ When this WOULD be the correct answer
In a different scenario where the question specifies that PAT is being implemented in a network that relies on OSPF for routing updates, and the exam asks about the necessity of OSPF for proper NAT functionality, this option could be correct if the question indicates that OSPF misconfigurations are impacting NAT operations.
Why candidates choose this
Students may think that because the WAN link often runs OSPF for routing, PAT might depend on it, but PAT works independently of the routing protocol used.
✗The ACL must be numbered 100 instead of 1.Wrong answer — click to see why▾
Why this is wrong here
Standard ACLs (numbered 1-99 or 1300-1999) can be used in NAT to identify traffic for translation; they match only source IP addresses. Extended ACLs (100-199) are not required for basic PAT configuration.
★ When this WOULD be the correct answer
In a different scenario, if the question specifically states that the router is using a legacy configuration where only numbered ACLs are supported, and that ACL 100 is explicitly required for NAT rules, then this option would be correct.
Why candidates choose this
Some students confuse the ACL numbering with the requirement for extended ACLs in NAT, but standard ACLs are sufficient when only source IP matching is needed.
✗The router must use GRE before PAT can overload.Wrong answer — click to see why▾
Why this is wrong here
GRE (Generic Routing Encapsulation) is a tunneling protocol used to encapsulate packets for VPNs or routing over non-IP networks. PAT does not require any tunneling; it translates private IP addresses to a public IP using port numbers.
★ When this WOULD be the correct answer
In a different scenario where the question specifies that the network is using GRE tunnels for remote site connectivity, and the configuration requires PAT to be applied to traffic traversing these tunnels, then this option could be correct. For example, if the question states that PAT is not functioning due to the absence of GRE encapsulation on the WAN link, this would validate the option.
Why candidates choose this
Students might associate GRE with NAT because both are used in VPN scenarios, but PAT functions independently and does not rely on GRE.
Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
A common exam trap is confusing the NAT inside and outside interface roles. Candidates might overlook that reversing these roles causes PAT to fail silently, as translation direction depends on correct interface designation. Misunderstanding this can lead to incorrect troubleshooting steps, such as focusing on routing protocols or ACL numbering, which do not impact PAT functionality directly.
Detailed technical explanation
How to think about this question
Port Address Translation (PAT) relies heavily on correct NAT interface role assignments to function properly. The 'ip nat inside' command marks interfaces connected to the private network, while 'ip nat outside' marks those connected to the public network. When these roles are reversed, the router attempts to translate traffic in the wrong direction, causing PAT to fail. This misconfiguration prevents the router from correctly mapping private IP addresses and ports to the public IP address and ports. Unlike routing protocols such as OSPF or GRE tunneling, PAT does not depend on these technologies for operation. Additionally, the ACL used to identify traffic for NAT translation can be either standard or extended and does not require a specific number like 100; any valid ACL number is acceptable. Understanding the directional nature of NAT and the importance of interface roles is critical for troubleshooting NAT-related issues on Cisco devices.
KKey Concepts to Remember
NAT interface roles (inside vs outside)
Port Address Translation (PAT) functionality
Access Control Lists (ACL) in NAT
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
NAT interface roles (inside vs outside)
Real-world example
How this comes up in practice
A network engineer at a university connects two campus buildings via a fibre link. Both routers run OSPF, but no adjacency forms — even though both routers can ping each other. The engineer finds one router is in area 0 and the other in area 1. OSPF adjacency requires matching area numbers, hello/dead timers, and network type. IP reachability alone is not enough.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this 200-301 question in full detail.
Network Services and Security — This question tests Network Services and Security — NAT interface roles (inside vs outside).
What is the correct answer to this question?
The correct answer is: The inside and outside NAT interface roles are reversed. — PAT is not working correctly because the inside and outside NAT roles are reversed on the interfaces. In practical terms, the private LAN-facing interface should be marked as inside, and the public-facing WAN interface should be marked as outside. In the exhibit, the router has those roles backwards, so translation logic is applied in the wrong direction.
This is a very realistic NAT troubleshooting item because the configuration is close to correct and the failure comes from one directional mistake.
What should I do if I get this 200-301 question wrong?
Review nAT interface roles (inside vs outside), then practise related 200-301 questions on the same topic to reinforce the concept.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
NAT interface roles (inside vs outside)
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.