Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
Exhibit
Observed symptom: - Internal users can reach internal routes - Internet browsing fails - Private source addresses are still seen on outbound WAN traffic
Users in a branch office can reach internal networks but cannot browse the Internet. The router has a correct default route and PAT is configured. Which missing item is the most likely cause if inside hosts are still using private source addresses on the WAN?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Best answer
A correct ACL or source match identifying inside local addresses for NAT
This is correct because PAT needs to know which inside addresses should be translated. Without a correct match, the router can forward traffic but leave the source private.
B
Distractor review
An STP root bridge election on the WAN side
This is wrong because STP root election is unrelated to PAT translation on a routed WAN edge.
C
Distractor review
A voice VLAN on the branch access switches
This is wrong because voice VLAN design does not explain private source addresses leaving the WAN un-translated.
D
Distractor review
A loopback interface with a higher IP address
This is wrong because a loopback interface is not what enables PAT translation of inside user traffic.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A common exam trap is assuming that configuring a default route and enabling PAT alone guarantees Internet access for inside hosts. Candidates often overlook the necessity of a correct NAT ACL or source match that explicitly identifies which inside local addresses should be translated. Without this ACL, the router forwards packets with private IP addresses unchanged, causing return traffic to fail because upstream devices reject packets with non-routable source addresses. This mistake leads to the false conclusion that routing or PAT is misconfigured, when the real issue is the missing or incorrect NAT match.
Technical deep dive
How to think about this question
Network Address Translation (NAT), specifically Port Address Translation (PAT), is essential for allowing multiple internal hosts with private IP addresses to access external networks like the Internet using a single public IP address. PAT works by translating inside local addresses (private IPs) to a valid inside global address (public IP) and tracking sessions by port numbers. This translation is critical because private IP addresses defined by RFC 1918 are not routable on the public Internet. For PAT to function correctly on Cisco routers, a NAT inside source rule must be configured with an access control list (ACL) or source match that explicitly identifies which internal IP addresses should be translated. The router uses this ACL to determine which packets require translation before forwarding them out the WAN interface. Even if the router has a correct default route pointing to the Internet, without this ACL or source match, the router will forward packets with private source addresses unchanged, causing return traffic to fail. A common exam trap is assuming that having a default route and PAT configured is sufficient for Internet access. However, if the NAT ACL or source match is missing or incorrect, the router does not translate the inside local addresses, leading to connectivity issues. Practically, this means internal hosts can reach internal networks but cannot browse the Internet because their private IPs are not translated to valid public IPs, causing upstream devices to drop the traffic.
KKey Concepts to Remember
- PAT requires a correct ACL or source match to identify inside local addresses for translation before forwarding packets to the WAN.
- A default route directs traffic to the Internet but does not perform NAT translation by itself.
- Without a proper NAT ACL, the router forwards packets with private source IPs, which are invalid on the public Internet.
- Cisco routers use NAT inside source rules with ACLs to determine which internal IP addresses to translate to public addresses.
- Private IP addresses defined by RFC 1918 are not routable on the Internet and must be translated by NAT for external communication.
- PAT translates multiple inside local addresses to a single inside global address by tracking port numbers.
- Misconfiguring or omitting the NAT ACL causes inside hosts to appear with private IPs on the WAN, breaking Internet connectivity.
- Routing and NAT are separate functions; correct routing does not guarantee successful NAT translation.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
PAT requires a correct ACL or source match to identify inside local addresses for translation before forwarding packets to the WAN.
What is the correct answer to this question?
The correct answer is: A correct ACL or source match identifying inside local addresses for NAT — If inside hosts are still appearing with private source addresses on the WAN side, the most likely missing element is a correct NAT inside source match for the internal subnet. In plain language, the router knows where Internet traffic should go because the default route exists, but it is not actually translating the private addresses before sending the traffic out. That means upstream devices see RFC 1918 private addresses that are not valid on the public Internet and return traffic fails. This is a common CCNA troubleshooting pattern: routing and NAT are separate functions. A valid default route only tells the router where to send packets. It does not automatically translate them. PAT also depends on a correct ACL or source match identifying which inside addresses should be translated. If that match is missing or wrong, the router forwards the traffic but without performing the necessary translation. That is why the missing or incorrect NAT match is the most likely root cause.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.