Question 603 of 1,819
Network Services and SecurityhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to use static NAT for the server and PAT for general user outbound traffic. This design works because static NAT creates a permanent one-to-one mapping between a specific internal IP and a consistent public address, allowing external clients to reliably reach the web server, while PAT dynamically translates many internal users to a single public address for outbound sessions, conserving global IPs. On the CCNA 200-301 v2 exam, this scenario tests your understanding that NAT methods are not mutually exclusive; a common trap is assuming PAT alone can serve inbound traffic, but PAT lacks the fixed mapping required for unsolicited inbound connections. Remember the memory tip: “PAT for outbound, static for inbound” — if a device initiates traffic, use PAT; if the world needs to find it, use static NAT.

CCNA Network Services and Security Practice Question

This 200-301 practice question tests your understanding of network services and security. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: static NAT creates a fixed one-to-one mapping between a private IP address and a public IP address, enabling predictable external access to internal servers.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A branch router uses PAT for Internet access. Users can browse out, but the administrator wants a specific internal web server to be reachable from outside on a consistent public address. Which design fits that requirement best?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use static NAT for the server and PAT for general user outbound traffic.

The best design is to use static NAT for the internal web server while continuing to use PAT for general user outbound access. In plain language, PAT is ideal for many inside users sharing one public address for ordinary outbound traffic, but a server that must be reachable predictably from the outside needs a fixed public identity. Static NAT provides that one-to-one mapping. This is a practical mixed-design scenario. The network can use PAT for user convenience and address conservation while still reserving a stable translation for a server that external clients need to find reliably. The correct answer recognizes that different NAT methods can serve different purposes in the same environment.

Key principle: Static NAT creates a fixed one-to-one mapping between a private IP address and a public IP address, enabling predictable external access to internal servers.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Use static NAT for the server and PAT for general user outbound traffic.

    Why this is correct

    This is correct because static NAT gives the server a fixed public identity while PAT supports many internal users.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Static NAT creates a fixed one-to-one mapping between a private IP address and a public IP address, enabling predictable external access to internal servers.

  • Use only PAT for everything, including predictable outside server reachability.

    Why it's wrong here

    This is wrong because PAT does not provide the same stable one-to-one outside identity expected for a published server.

    When this WOULD be correct

    In a scenario where all devices, including servers, are intended to share a single public IP address for outbound traffic without the need for external access to specific internal servers, using only PAT would be appropriate. For example, a question might ask for a configuration where all internal devices need to access the internet but do not require any inbound connections.

  • Disable NAT entirely because private IPv4 addresses are Internet-routable.

    Why it's wrong here

    This is wrong because private IPv4 addresses are not Internet-routable.

    When this WOULD be correct

    In a scenario where a question states that a network is using IPv6, which allows for global addressing without NAT, disabling NAT would be correct to allow direct access to internal servers from the Internet.

  • Use DHCP relay to publish the server externally.

    Why it's wrong here

    This is wrong because DHCP relay is unrelated to public server reachability.

    When this WOULD be correct

    If the exam question asked about a scenario where a server needs to receive IP address assignments dynamically from an external DHCP server, and the focus was on ensuring that the server can communicate with clients outside its local network, then using DHCP relay would be correct.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The 200-301 exam frequently reuses these exact scenarios with slightly different constraints.

Use static NAT for the server and PAT for general user outbound traffic.Correct answer

Why this is correct

This is correct because static NAT gives the server a fixed public identity while PAT supports many internal users.

Use only PAT for everything, including predictable outside server reachability.Wrong answer — click to see why

Why this is wrong here

PAT alone cannot provide a predictable one-to-one mapping for inbound traffic to a specific server because it relies on dynamic port translations. Inbound connections initiated from outside would not have a consistent destination IP and port mapping, making the server unreachable from the internet.

★ When this WOULD be the correct answer

In a scenario where all devices, including servers, are intended to share a single public IP address for outbound traffic without the need for external access to specific internal servers, using only PAT would be appropriate. For example, a question might ask for a configuration where all internal devices need to access the internet but do not require any inbound connections.

Why candidates choose this

Students might think PAT can handle all traffic types, including inbound server access, because PAT is commonly used for outbound traffic. They may overlook that PAT does not create a stable public identity for inbound connections without additional configuration like port forwarding.

Disable NAT entirely because private IPv4 addresses are Internet-routable.Wrong answer — click to see why

Why this is wrong here

Private IPv4 addresses (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are not routable on the public internet. Disabling NAT would prevent any internal device from communicating with external networks, breaking internet access entirely.

★ When this WOULD be the correct answer

In a scenario where a question states that a network is using IPv6, which allows for global addressing without NAT, disabling NAT would be correct to allow direct access to internal servers from the Internet.

Why candidates choose this

Some students may confuse private addresses with public addresses or think that all IPv4 addresses are globally routable. They might also misunderstand the purpose of NAT as optional rather than necessary for private-to-public communication.

Use DHCP relay to publish the server externally.Wrong answer — click to see why

Why this is wrong here

DHCP relay is used to forward DHCP broadcast messages between clients and servers across different subnets. It has no role in providing public reachability to an internal server or in NAT/PAT configurations.

★ When this WOULD be the correct answer

If the exam question asked about a scenario where a server needs to receive IP address assignments dynamically from an external DHCP server, and the focus was on ensuring that the server can communicate with clients outside its local network, then using DHCP relay would be correct.

Why candidates choose this

Students might associate 'relay' with forwarding traffic or think DHCP relay can somehow expose internal servers externally. The term 'relay' can be misleading, causing confusion with port forwarding or NAT.

Analysis generated from the official 200-301blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

A common exam trap is selecting PAT alone to provide external access to an internal server. While PAT efficiently supports many users sharing one public IP for outbound traffic, it does not assign a fixed public IP to any internal host. This means the server’s public identity changes dynamically, preventing reliable inbound connections. Candidates often confuse PAT’s port translation with static IP mapping, overlooking that servers need static NAT for consistent external reachability. Misunderstanding this distinction leads to incorrect answers and design flaws in real networks.

Detailed technical explanation

How to think about this question

Network Address Translation (NAT) is a fundamental IP service that modifies IP address information in packet headers while in transit, allowing multiple devices on a private network to access external networks using fewer public IP addresses. Port Address Translation (PAT), a form of dynamic NAT, enables many internal hosts to share a single public IP address by differentiating sessions through unique port numbers. However, PAT does not provide a fixed public IP for any internal device, which is essential for servers that must be reachable from the Internet. Static NAT creates a one-to-one mapping between a private IP address and a public IP address, ensuring that the internal server always appears at the same public IP externally. This predictability is crucial for services like web servers that require consistent accessibility. In a mixed NAT environment, static NAT is used for servers needing stable public identities, while PAT handles general outbound traffic from multiple users, optimizing IP address usage and maintaining connectivity. A common exam trap is assuming that PAT alone can provide stable inbound access to internal servers, which it cannot because PAT dynamically assigns ports and does not reserve a fixed public IP for any host. Practically, network administrators combine static NAT for servers with PAT for user devices to balance address conservation and service availability, reflecting real-world Cisco network design principles tested in the CCNA exam.

KKey Concepts to Remember

  • Static NAT creates a fixed one-to-one mapping between a private IP address and a public IP address, enabling predictable external access to internal servers.
  • PAT allows multiple internal hosts to share a single public IP address by differentiating sessions using unique port numbers for outbound traffic.
  • A server requiring consistent reachability from outside must use static NAT to maintain a stable public IP address, unlike PAT which is dynamic and port-based.
  • Mixed NAT configurations combine static NAT for inbound server accessibility with PAT for outbound user traffic to optimize IP address usage.
  • Private IPv4 addresses are not routable on the Internet and require NAT to communicate with external networks.
  • DHCP relay is unrelated to NAT and does not influence public accessibility of internal servers.
  • Using only PAT for all traffic fails to provide a stable public IP for servers, making it unsuitable for hosting externally reachable services.
  • Cisco routers support simultaneous static NAT and PAT configurations to meet different network requirements within the same environment.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Static NAT creates a fixed one-to-one mapping between a private IP address and a public IP address, enabling predictable external access to internal servers.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Review static NAT creates a fixed one-to-one mapping between a private IP address and a public IP address, enabling predictable external access to internal servers., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Services and Security — This question tests Network Services and Security — Static NAT creates a fixed one-to-one mapping between a private IP address and a public IP address, enabling predictable external access to internal servers..

What is the correct answer to this question?

The correct answer is: Use static NAT for the server and PAT for general user outbound traffic. — The best design is to use static NAT for the internal web server while continuing to use PAT for general user outbound access. In plain language, PAT is ideal for many inside users sharing one public address for ordinary outbound traffic, but a server that must be reachable predictably from the outside needs a fixed public identity. Static NAT provides that one-to-one mapping. This is a practical mixed-design scenario. The network can use PAT for user convenience and address conservation while still reserving a stable translation for a server that external clients need to find reliably. The correct answer recognizes that different NAT methods can serve different purposes in the same environment.

What should I do if I get this 200-301 question wrong?

Review static NAT creates a fixed one-to-one mapping between a private IP address and a public IP address, enabling predictable external access to internal servers., then practise related 200-301 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Static NAT creates a fixed one-to-one mapping between a private IP address and a public IP address, enabling predictable external access to internal servers.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on 200-301

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A branch office uses PAT for user Internet access. The administrator notices that inside users can browse out, but an internal server still cannot be reached consistently from outside. Which change is most appropriate?

hard
  • A.Add a static NAT mapping for the server while leaving PAT in place for user traffic.
  • B.Replace PAT with DHCP relay.
  • C.Disable NAT entirely because PAT is preventing inbound routing.
  • D.Put the server in the native VLAN.

Why A: The most appropriate change is to add a static NAT mapping for the internal server while keeping PAT for ordinary user traffic. In practical terms, PAT solves the many-users-outbound problem by allowing shared use of a public address. But an inbound-published server needs a stable, predictable public identity. That requirement is different from the requirement for user browsing. This is a common NAT design distinction. PAT and static NAT can coexist because they solve different problems. The best answer is the one that preserves PAT for users while giving the server a fixed public translation.

Keep practising

More 200-301 practice questions

Last reviewed: May 17, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.