CCNA NAT and PAT Questions

75 of 76 questions · Page 1/2 · NAT and PAT · Answers revealed

1
MCQmedium

What is the problem with this NAT configuration? interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ! ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255

A.The ACL is too permissive; it should only permit specific hosts.
B.The interface GigabitEthernet0/1 is missing the 'ip nat outside' command.
C.The 'overload' keyword is unnecessary for this configuration.
D.The inside interface should be GigabitEthernet0/1.
AnswerB

Without 'ip nat outside', the router does not know which interface is the outside for NAT.

Why this answer

The outside interface (GigabitEthernet0/1) is missing the 'ip nat outside' command, which is required for NAT to function.

2
MCQmedium

A network engineer runs the following command to troubleshoot a NAT issue: R1# debug ip nat detailed NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [45] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [46] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [47] NAT*: s=192.168.1.1, d=10.2.2.2->10.1.1.1 [48] NAT: s=10.1.1.1->10.2.2.2, d=192.168.1.1 [49] What does this output indicate?

A.NAT is working correctly; the asterisk indicates a packet that was translated and fast-switched.
B.NAT is failing; the asterisk indicates a packet that was dropped.
C.NAT is working but only for outbound traffic; return traffic is not being translated.
D.NAT is not configured; the output shows only routing information.
AnswerA

The asterisk shows fast-switching, and translations are occurring bidirectionally.

Why this answer

The output shows successful NAT translations. The asterisk (*) indicates a packet that was translated and fast-switched.

3
MCQhard

An engineer configures EIGRP named mode on a router and uses an offset-list to increase the feasible distance (FD) of a specific route. Unexpectedly, the route is still installed in the routing table with the original metric. Which is the most likely explanation?

A.The offset-list was applied to outbound updates instead of inbound, so it affected the FD on the neighbor, not the local router.
B.The offset-list value was too large, causing the route to be suppressed.
C.The offset-list was applied to the wrong interface.
D.The route is a connected route, and offset-lists do not affect connected routes.
AnswerA

Correct. Offset-list direction matters; outbound affects neighbor's FD.

Why this answer

In EIGRP, the offset-list modifies the metric of routes received or sent, but it affects the FD only if the route is the successor. However, if the route is a feasible successor, the offset-list may not change the FD for the successor path. Additionally, the offset-list in named mode applies to the topology table entry, but the route selection still uses the original metric if the offset-list is applied incorrectly (e.g., to the wrong direction).

4
Multi-Selecthard

An engineer must configure NAT so that inside hosts (192.168.1.0/24) are translated to a public IP pool (203.0.113.1-203.0.113.10) when accessing the Internet, but must NOT translate traffic destined to a VPN subnet (10.10.10.0/24) reachable via the same outside interface. Which TWO configuration steps are required? (Choose TWO.)

Select 2 answers
A.Create an ACL that denies 10.10.10.0 0.0.0.255 and permits any, then reference it in a route map with 'match ip address'.
B.Apply 'ip nat inside source list 1 interface GigabitEthernet0/0 overload' where ACL 1 permits 192.168.1.0 0.0.0.255.
C.Use 'ip nat inside source route-map RMAP pool POOL' where the route map matches the ACL from step A.
D.Configure 'ip nat inside source static 192.168.1.1 203.0.113.1' for each host to ensure translation.
E.Apply 'ip access-group 100 in' on the inside interface to block traffic to the VPN subnet.
AnswersA, C

Correct. The ACL denies the VPN subnet, so the route map will not match traffic to that destination, thus exempting it from NAT.

Why this answer

To exempt certain destinations from NAT, a route map with 'match ip address' for the ACL that denies the VPN subnet is used. The ACL must deny the VPN subnet and permit all other traffic. The 'ip nat inside source route-map' command then applies this route map to the NAT translation.

Using a second ACL on the inside interface or a static NAT would not achieve the desired selective exemption.

5
MCQhard

A large enterprise network is experiencing intermittent connectivity failures for VoIP traffic traversing a DMVPN hub-and-spoke topology. Hub router R1 has the following relevant configuration: ip nat inside source list 100 interface Tunnel0 overload. Spoke router R2 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 10.1.1.1 192.168.1.1 203.0.113.1 203.0.113.1. VoIP calls drop after 30 seconds. What is the root cause?

A.Configure ip nat translation timeout 60 for UDP to align with VoIP timers.
B.Add ip nat inside source list 100 interface Tunnel0 overload to the spoke router.
C.Change the DMVPN tunnel mode to GRE over IPsec with no NAT.
D.Use ip nat outside source list 100 interface Tunnel0 overload.
AnswerA

Reducing the NAT timeout for UDP ensures that stale entries are cleared quickly, preventing mismatches with VoIP session refreshes.

Why this answer

The issue is that PAT overload on the DMVPN tunnel interface causes NAT entries to be created for VoIP traffic, but the default NAT timeout (24 hours for TCP, 300 seconds for UDP) does not match the DMVPN tunnel keepalive or VoIP session timers. When the tunnel rekeys or the VoIP session refreshes, the NAT entry may be stale, causing asymmetric routing or dropped packets. The correct fix is to adjust NAT timeouts or use route-map to exempt VoIP traffic from NAT.

6
Drag & Drophard

Drag and drop the steps to troubleshoot NAT and PAT adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting NAT connectivity failures should start with verifying basic reachability using ping, then checking NAT translations with show ip nat translations, then examining the routing table to ensure return traffic is routed correctly, then verifying access lists for NAT, and finally checking for asymmetric routing or adjacency issues.

7
MCQhard

An engineer configures static NAT on a router to map a public IP 203.0.113.5 to an internal server 10.0.0.5. The configuration includes 'ip nat inside source static 10.0.0.5 203.0.113.5'. The server is reachable from the outside, but the server cannot initiate connections to the outside network. 'Show ip nat translations' shows the static entry. What is the most likely cause?

A.The server's default gateway is not the router's inside interface.
B.The 'ip nat outside' command is missing on the outside interface.
C.Static NAT does not translate the source IP for outbound traffic initiated by the inside host.
D.The router's routing table does not have a route back to the server's subnet.
AnswerC

Correct because static NAT only translates destination IP for inbound traffic; for outbound, the source remains private unless additional NAT (e.g., overload) is configured for that host.

Why this answer

Static NAT only translates the specified inside local to inside global. For the server to reach outside, the router must also translate the source of the server's traffic (which is 10.0.0.5) to a routable IP; without a matching NAT rule for outbound traffic, the server's source remains private.

8
MCQhard

A network engineer is troubleshooting NAT for a VoIP phone that uses SIP. The phone is at 192.168.2.10, and the router performs PAT to the outside interface 198.51.100.1. The phone can register with the SIP server, but calls fail after 30 seconds. The engineer notices that the SIP signaling includes the phone's private IP in the SDP body. What is the most likely cause?

A.The PAT port range is exhausted.
B.The router's SIP ALG is disabled, so the private IP in the SDP is not translated.
C.The phone's default gateway is misconfigured.
D.The outside interface has a firewall blocking UDP ports.
AnswerB

Correct because without SIP ALG, the router does not inspect and translate the IP addresses inside the SIP messages, causing media to be sent to the private IP.

Why this answer

SIP embeds IP addresses in the payload; PAT only translates the IP header, not the application layer. The SIP server sends media to the private IP, which is unreachable. The fix is to use SIP ALG or fixup to translate the embedded addresses.

9
MCQhard

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal host 192.168.1.10 can ping external host 203.0.113.50, but cannot establish a TCP connection to port 443. Router R1 shows: debug ip nat: NAT: s=192.168.1.10->203.0.113.1, d=203.0.113.50 [0]. The external host shows no received packets. What is the root cause?

A.An ACL on the outside interface is blocking TCP port 443; configure an ACL to permit it.
B.The NAT translation is failing for TCP due to port exhaustion.
C.The internal host has a firewall blocking outbound TCP.
D.The external host is not responding to TCP SYN packets.
AnswerA

ICMP is permitted, but TCP 443 is likely denied by an implicit or explicit ACL.

Why this answer

Ping works because ICMP is allowed, but TCP port 443 may be blocked by an ACL on the outside interface. The debug shows NAT translation occurring, but the packet may be dropped after translation. The correct fix is to check the ACL on the outside interface (e.g., GigabitEthernet0/1) for inbound/outbound rules that block TCP 443.

10
Multi-Selecthard

Which THREE commands can be used to troubleshoot NAT issues on a Cisco IOS router? (Choose THREE.)

Select 3 answers
A.show ip nat translations
B.debug ip nat
C.clear ip nat translation
D.show ip nat verbose
E.show ip interface brief
AnswersA, B, C

Displays active translations, which helps verify if mappings are created correctly.

Why this answer

The commands show ip nat translations, debug ip nat, and clear ip nat translation are all useful for troubleshooting. The other options are either non-existent or unrelated.

11
MCQhard

An engineer configures OSPF on two routers connected via a serial link. Both routers have 'ip ospf network point-to-point' configured, but the link is actually a Frame Relay multipoint subinterface. The OSPF neighbors remain stuck in EXSTART state. Which is the most likely explanation?

A.The MTU on the serial link is not consistent between the two routers, causing DBD packets to be dropped.
B.The OSPF hello timer is set too high, causing the neighbor to time out.
C.The area ID is different on the two routers.
D.The OSPF router ID is duplicated.
AnswerA

Correct. OSPF uses the interface MTU for DBD packets; mismatch prevents exchange.

Why this answer

OSPF network type mismatch between the configured point-to-point and the actual multipoint topology can cause MTU mismatch issues. On a multipoint subinterface, the default MTU may be lower, and OSPF uses the interface MTU to determine the maximum packet size. If the MTU is not consistent, the Database Description (DBD) packets may be dropped, causing the neighbor to remain in EXSTART.

12
MCQhard

A network engineer runs the following command to debug NAT with overload: R1# debug ip nat overload NAT: overload: s=10.1.1.1:1234->203.0.113.1:5678, d=192.168.1.1:80 [50] NAT: overload: s=10.1.1.1:1235->203.0.113.1:5679, d=192.168.1.1:80 [51] NAT: overload: s=10.1.1.2:80->203.0.113.1:5680, d=192.168.1.1:1024 [52] What does this output indicate?

A.PAT is working correctly, translating multiple inside hosts to one outside IP.
B.NAT is failing because the outside address is the same for all.
C.The translations are static.
D.The inside hosts are using the same port numbers.
AnswerA

Each inside host gets a unique source port on the outside IP.

Why this answer

The output shows PAT (overload) translating multiple inside addresses and ports to a single outside address with different ports. This is normal PAT operation.

13
MCQeasy

A network engineer runs the following command to verify NAT after a fix: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 203.0.113.1 10.1.1.1 192.168.1.1 192.168.1.1 --- 203.0.113.2 10.1.1.2 192.168.1.2 192.168.1.2 What is the most likely configuration?

A.Dynamic NAT without overload, using a pool of addresses.
B.Static NAT for each host.
C.PAT with a single address.
D.NAT is not configured.
AnswerA

Each inside host gets a unique global address from a pool.

Why this answer

The output shows two dynamic translations with different inside global addresses, indicating a pool of addresses is used without PAT (overload).

14
MCQmedium

An engineer configures NAT on a router with 'ip nat inside source list 1 pool POOL overload' where POOL contains 203.0.113.1-203.0.113.5. The inside hosts are 10.0.0.0/24. Traffic works, but the engineer notices that some hosts are assigned the same public IP and port, causing conflicts. 'Show ip nat translations' shows entries with the same inside global IP and port for different inside local hosts. What is the most likely cause?

A.The pool has only one IP address, and the router is reusing ports for different hosts.
B.The 'ip nat inside source' command is missing the 'overload' keyword.
C.The router is not performing PAT correctly because the ACL permits more than the pool can handle.
D.The router has a configuration that uses 'ip nat inside source static' for some hosts, conflicting with the dynamic pool.
AnswerD

Correct because if a static NAT entry maps a host to the same public IP as the pool, and the static entry does not use port translation, it can cause conflicts with dynamic entries.

Why this answer

PAT with a pool should assign unique ports per session. If two different inside hosts use the same source port and are mapped to the same public IP, the router should still assign a different port. However, if the pool has only one IP or the ports are exhausted, conflicts can occur.

The most likely cause is that the pool has only one IP and the port range is exhausted, but the symptom shows the same IP and port, which indicates a misconfiguration.

15
MCQhard

In Cisco IOS, what is the default behavior of the ip nat service command?

A.It disables NAT for all protocols by default.
B.It enables NAT only for TCP and UDP by default.
C.It is used to configure NAT for specific application-layer protocols and is not enabled by default.
D.It configures the NAT translation timeout for all services.
AnswerC

Correct. The ip nat service command is used to fine-tune NAT for specific protocols and is not enabled by default; it is applied only when configured.

Why this answer

The ip nat service command is used to enable or disable NAT for specific protocols or to change the port number used for NAT. By default, NAT is enabled for all protocols. The command is often used to adjust NAT behavior for protocols like SIP or H.323.

16
MCQhard

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal host 192.168.1.10 can access the internet, but when it tries to connect to an internal server at 10.1.1.10 via its public IP 203.0.113.10, the connection fails. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 203.0.113.10 10.1.1.10 --- ---. The host's traffic is being NATed to 203.0.113.1, but the server's response is sent to 203.0.113.1. What is the root cause?

A.Enable NAT hairpinning by configuring ip nat inside source static tcp 10.1.1.10 80 203.0.113.10 80 and ensuring the router has a route to the public IP.
B.Configure the host to use the private IP of the server instead of the public IP.
C.Add a static route on the router for 203.0.113.10 pointing to the server.
D.Use ip nat outside source list 100 interface GigabitEthernet0/1 overload.
AnswerA

Hairpinning allows the router to forward traffic from inside to inside via the public IP.

Why this answer

This is a classic NAT hairpinning issue. The host is trying to reach the server via its public IP, but the router does not support hairpinning by default. The traffic from the host to the public IP is NATed, but the return traffic from the server is sent to the public IP, which the router does not forward back to the host.

The correct fix is to enable hairpinning with ip nat inside source static tcp 10.1.1.10 80 203.0.113.10 80 and ensure the router can process the traffic correctly.

17
Multi-Selecthard

An engineer is troubleshooting a PAT overload configuration on a Cisco router. Inside hosts can access the Internet, but some applications (e.g., FTP, SIP) fail. Which TWO commands can be used to verify the NAT translations and identify the issue? (Choose TWO.)

Select 2 answers
A.'show ip nat translations'
B.'debug ip nat detailed'
C.'show ip nat statistics'
D.'show ip access-lists'
E.'show running-config | include nat'
AnswersA, B

Correct. This shows the current NAT table, including inside local, inside global, outside local, and outside global addresses and ports.

Why this answer

'show ip nat translations' displays active translations including ports, which helps verify if PAT is working and if ports are being allocated. 'debug ip nat' with 'detailed' shows packet-level translation events, useful for seeing if application-layer protocols are being handled correctly. 'show ip nat statistics' shows counts but not per-translation details. 'show ip access-lists' does not show NAT info. 'show running-config | include nat' only shows configuration, not operational state.

18
MCQhard

Router R1 is configured with ip nat inside source list 100 interface Loopback0 overload. Internal hosts at 192.168.1.0/24 can access the internet, but external hosts cannot initiate connections to an internal server at 10.1.1.10 that is also behind NAT. The server is supposed to be reachable via static NAT. Configuration: ip nat inside source static tcp 10.1.1.10 80 interface Loopback0 80. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global tcp 10.1.1.10:80 10.1.1.10:80 --- ---. External users get connection timeouts. What is the root cause?

A.The static NAT should use a specific global IP address instead of the interface; configure ip nat inside source static tcp 10.1.1.10 80 203.0.113.10 80.
B.The access-list 100 is blocking inbound traffic.
C.The Loopback0 interface is not in the routing table.
D.The static NAT entry is missing the 'add-route' option.
AnswerA

Using the interface IP for static NAT is not supported; a specific global IP must be defined.

Why this answer

The static NAT entry is correctly configured, but the issue is that the Loopback0 interface is used as the inside global interface. For static NAT to work for inbound connections, the outside interface must be the one facing the external network. The Loopback0 is likely not the correct egress interface; the static NAT should be applied to the actual outside interface (e.g., GigabitEthernet0/1).

Additionally, the 'interface' keyword in the static NAT command is incorrect; it should use 'ip nat inside source static tcp 10.1.1.10 80 203.0.113.10 80' with a specific global IP.

19
MCQhard

A network engineer is troubleshooting NAT for a VPN tunnel. The router has a static NAT rule 'ip nat inside source static 10.0.0.10 203.0.113.10' for a server. The VPN traffic from the remote site to 203.0.113.10 is being NATed to 10.0.0.10, but the return traffic from the server to the remote site is not being translated back. The engineer sees that the server sends packets with source 10.0.0.10 to the remote site's public IP. What should the engineer do to fix this?

A.Add an 'ip nat outside' command on the inside interface.
B.Configure a route-map to exempt the VPN traffic from NAT.
C.Ensure that the router has a route to the remote site's public IP via the outside interface, and that the static NAT entry is correctly applied.
D.Change the static NAT to 'ip nat inside source static 10.0.0.10 203.0.113.10 extendable'.
AnswerC

Correct because if the return traffic from the server is routed out a different interface (e.g., a VPN tunnel interface), the NAT might not be applied; the router needs to route the traffic via the outside interface where NAT is configured.

Why this answer

For NAT to work bidirectionally, the router must translate the source IP of the server's outbound traffic to the public IP. Static NAT should handle this automatically, but if the traffic is not matching the NAT rule, it might be due to routing or interface NAT direction.

20
MCQmedium

An engineer configures NAT overload on a router. The inside network uses 172.16.0.0/16, and the outside interface is 198.51.100.1. The engineer uses 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. ACL 1 permits 172.16.0.0 0.0.255.255. Traffic works, but the engineer notices that the router's CPU utilization is high, and 'show ip nat translations' shows thousands of entries. What is the most likely cause?

A.The router is under a DDoS attack generating many NAT translations.
B.The NAT translation timeout is set too high, causing old entries to remain.
C.The ACL is too permissive, allowing traffic from outside to initiate NAT.
D.The outside interface is using a different IP than configured.
AnswerB

Correct because if the timeout (e.g., 'ip nat translation timeout') is high, entries for short-lived flows (like DNS) stay longer, accumulating and consuming CPU.

Why this answer

High CPU and many NAT entries could indicate a DoS attack or misconfiguration causing many short-lived sessions. However, a common issue is that the NAT timeout is too long, causing stale entries to accumulate.

21
MCQmedium

An engineer configures NAT on a router with 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. The inside hosts are 10.0.0.0/24, and the outside interface is 203.0.113.1. Traffic works for most hosts, but one host at 10.0.0.50 cannot access the internet. 'Show ip nat translations' shows no entry for this host. 'Show access-lists' shows ACL 1 permits 10.0.0.0 0.0.0.255. What is the most likely cause?

A.The host's IP address is statically assigned and conflicts with another device.
B.The host has a misconfigured subnet mask or default gateway.
C.The NAT pool is exhausted.
D.The router's inside interface is administratively down.
AnswerB

Correct because if the host's default gateway is not the router's inside interface (or subnet mask is wrong), the host will not send traffic to the router, so no NAT translation is attempted.

Why this answer

If the ACL and NAT configuration are correct, the issue might be that the host's traffic is not reaching the router's inside interface, or the router is not processing the traffic due to a routing or interface issue. However, since other hosts work, the problem is specific to that host.

22
MCQmedium

A network engineer runs the following command to verify NAT on an interface: R1# show ip nat interface GigabitEthernet0/1 GigabitEthernet0/1 is up, line protocol is up NAT: inside, active NAT: outside, active NAT: overload, active What is the issue with this configuration?

A.The interface is configured as both inside and outside, which is invalid.
B.The interface is correctly configured for NAT.
C.The interface is down.
D.Overload is not active.
AnswerA

NAT requires separate inside and outside interfaces.

Why this answer

The interface is configured as both inside and outside, which is incorrect. An interface should be either inside or outside, not both.

23
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- --- R1# show ip nat statistics Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 45 Misses: 0 CEF Translated packets: 45, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 3 map-id 1 overload [Id] ip nat inside source list ACL1 pool POOL1 overload refcount 3 Based on this output, which statement is correct?

A.PAT is working correctly; translations are dynamic and overload is enabled.
B.NAT is failing because the pool is exhausted.
C.Static NAT is configured, but dynamic NAT is not working.
D.The inside and outside interfaces are reversed.
AnswerA

The output shows dynamic mappings with overload, and translations are active. No errors or misses indicate proper operation.

Why this answer

The output shows dynamic NAT with overload (PAT). The pool has 16 addresses (192.0.2.10–192.0.2.20), but only 3 translations are active. The '---' in the protocol column indicates no protocol-specific translation (e.g., TCP/UDP), which is normal for PAT when only one host per inside global is used.

The correct answer is that PAT is working correctly.

24
Drag & Dropmedium

Drag and drop the steps to configure PAT (overload) for dynamic source NAT into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows the standard Cisco IOS-XE configuration sequence: first define an access list to match interesting traffic, then create a NAT pool (if needed), then configure dynamic source translation with overload, then apply the configuration to the inside interface, and finally apply it to the outside interface.

25
Multi-Selectmedium

Which TWO statements about NAT overload (PAT) are true? (Choose TWO.)

Select 2 answers
A.PAT allows multiple inside hosts to share a single public IP address by using unique source port numbers.
B.PAT is only supported with a single public IP address configured on the outside interface.
C.PAT is also known as NAT overload and is defined in RFC 2663.
D.PAT cannot translate traffic for protocols that use static port numbers, such as DNS or HTTP.
E.PAT requires the ip nat inside source list command with the overload keyword.
AnswersA, C

PAT translates the source port to create a unique session identifier, enabling many hosts to share one global address.

Why this answer

PAT uses port numbers to multiplex multiple inside hosts to a single public IP, and it is commonly used to conserve public IPv4 addresses. PAT can also be used with a pool of addresses, not just a single interface IP.

26
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke routers can communicate with the hub, but spoke-to-spoke traffic does not trigger a direct tunnel. Which is the most likely explanation?

A.The hub router is missing the 'ip nhrp redirect' command.
B.The spoke routers have 'ip nhrp shortcut' configured.
C.The tunnel mode is set to gre multipoint on the spokes.
D.The NHRP authentication is mismatched.
AnswerA

Correct. Redirect is required for Phase 2 spoke-to-spoke.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require NHRP redirect messages from the hub and NHRP shortcut requests from the spoke. If the hub does not have 'ip nhrp redirect' configured, it will not send redirect messages, and spokes will not attempt to build a direct tunnel.

27
MCQmedium

A network engineer runs the following command to verify NAT on a VRF: R1# show ip nat translations vrf CUSTOMER Pro Inside global Inside local Outside local Outside global --- 10.2.2.2 10.1.1.1 192.168.1.1 192.168.1.1 What is the purpose of the 'vrf CUSTOMER' parameter?

A.It filters translations for a specific VRF, allowing per-customer NAT.
B.It shows all translations across all VRFs.
C.It enables NAT on the VRF interface.
D.It creates a new VRF for NAT.
AnswerA

VRF-aware NAT is used to translate addresses for different customers.

Why this answer

This shows NAT translations specific to a VRF, used in MPLS VPN environments where NAT is applied per VRF.

28
MCQmedium

Given this partial configuration: ip nat pool MYPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0 ip nat inside source list 1 pool MYPOOL access-list 1 permit 192.168.1.0 0.0.0.255 What is the effect?

A.Inside hosts are translated to addresses in the pool using PAT.
B.Inside hosts are dynamically mapped to a pool address; if the pool is exhausted, new translations fail.
C.The router uses the pool address as the source for all outbound traffic, regardless of ACL.
D.This configuration requires the 'ip nat outside' interface command to function.
AnswerB

Without overload, each translation consumes one pool address; exhaustion blocks new flows.

Why this answer

This configures dynamic NAT without overload, so translations are one-to-one from inside addresses to the pool. If more inside hosts than pool addresses try to communicate, some will fail.

29
MCQhard

An engineer configures iBGP between two routers in the same AS. The BGP table shows the prefix, but it is not installed in the routing table. The next-hop is reachable via an IGP route. Which is the most likely explanation?

A.BGP synchronization is enabled, and the prefix is not present in the IGP.
B.The next-hop-self command is missing on the iBGP peer.
C.The prefix is filtered by an inbound route-map.
D.The maximum-paths limit is exceeded.
AnswerA

Correct. Synchronization prevents route installation if IGP does not have the prefix.

Why this answer

In iBGP, by default, the next-hop is not changed when advertising to iBGP peers (next-hop-self is not set). If the next-hop is not reachable via an IGP route (e.g., because the IGP does not carry the connected subnet of the eBGP peer), the route is not installed. However, the scenario says the next-hop is reachable, so another common issue is the BGP synchronization rule (when enabled) requiring the prefix to be present in the IGP before installing it.

30
Drag & Dropmedium

Drag and drop the steps to verify and validate NAT and PAT operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Verification should start with a high-level overview of translations, then check for active translations with details, then verify interface configurations, then confirm statistics for drops or failures, and finally test end-to-end connectivity.

31
MCQmedium

Consider this partial configuration: ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255 ! interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat outside ! interface GigabitEthernet0/2 ip address 172.16.0.1 255.255.255.0 ip nat inside What is true about traffic from the 172.16.0.0/24 network?

A.It is translated using PAT to 203.0.113.1.
B.It is not translated and will be forwarded with its original source IP.
C.It is dropped because NAT is required for all inside interfaces.
D.It is translated using a different pool because it is on a separate inside interface.
AnswerB

Traffic not matching the ACL is not subject to NAT; it is routed normally.

Why this answer

The ACL (access-list 1) only permits 192.168.1.0/24. Traffic from 172.16.0.0/24 is not matched and therefore not translated.

32
MCQhard

According to RFC 4787 (NAT Behavioral Requirements for UDP), what is the recommended default timeout for UDP NAT mappings?

A.60 seconds
B.300 seconds
C.600 seconds
D.86400 seconds
AnswerB

Correct. RFC 4787 recommends and Cisco IOS defaults to 300 seconds for UDP NAT mappings.

Why this answer

RFC 4787 recommends a default UDP mapping timeout of 5 minutes (300 seconds). Cisco IOS defaults to this value for UDP NAT translations.

33
Multi-Selecthard

Which THREE statements about NAT and PAT behavior in Cisco IOS are true? (Choose THREE.)

Select 3 answers
A.PAT allows multiple inside hosts to share a single public IP address by using unique source port numbers.
B.The NAT translation table for PAT includes the inside global IP and port, and the outside global IP and port.
C.The command 'ip nat inside source list 1 interface GigabitEthernet0/0 overload' enables PAT using the interface IP.
D.The 'ip nat inside source static' command automatically enables PAT when multiple inside hosts are configured.
E.The 'ip nat pool' command is required for all PAT configurations.
AnswersA, B, C

Correct. PAT multiplexes many inside addresses to one outside address by differentiating TCP/UDP ports.

Why this answer

PAT (overload) uses unique port numbers to distinguish multiple inside hosts sharing a single public IP. The NAT table stores five tuples (protocol, inside local IP:port, inside global IP:port, outside local IP:port, outside global IP:port). 'ip nat inside source list 1 interface GigabitEthernet0/0 overload' is the correct syntax for PAT with an interface. The 'ip nat inside source static' command creates a one-to-one mapping and does not use overload.

The 'ip nat pool' command defines a range of addresses, but PAT can also use a single interface IP.

34
MCQhard

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- --- --- 192.0.2.13 10.0.0.13 --- --- --- 192.0.2.14 10.0.0.14 --- --- --- 192.0.2.15 10.0.0.15 --- --- --- 192.0.2.16 10.0.0.16 --- --- --- 192.0.2.17 10.0.0.17 --- --- --- 192.0.2.18 10.0.0.18 --- --- --- 192.0.2.19 10.0.0.19 --- --- --- 192.0.2.20 10.0.0.20 --- --- R1# show ip nat statistics Total active translations: 11 (0 static, 11 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 200 Misses: 0 CEF Translated packets: 200, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 11 map-id 1 [Id] ip nat inside source list ACL1 pool POOL1 refcount 11 Based on this output, what is the problem?

A.The NAT pool is exhausted; no addresses are available for new translations.
B.PAT is not configured, causing address exhaustion.
C.The inside and outside interfaces are misconfigured.
D.Static NAT is conflicting with dynamic NAT.
AnswerA

All 11 pool addresses are in use, and the pool has no more addresses. New translations will fail.

Why this answer

The output shows 11 dynamic translations using all 11 addresses in the pool (192.0.2.10–192.0.2.20 inclusive = 11 addresses). The pool is fully utilized. If a new inside host attempts to communicate, it will fail because no addresses are available.

This is a problem because the pool is exhausted.

35
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router to protect the control plane. After applying the policy, OSPF neighbors go down. The CoPP policy has a class that matches OSPF traffic with a rate-limit of 100 pps. Which is the most likely explanation?

A.The OSPF traffic is being dropped because the rate-limit is too low for the hello interval.
B.The CoPP policy is applied to the wrong interface.
C.The OSPF traffic is matched by the default class and dropped.
D.The CoPP policy uses 'police' instead of 'rate-limit'.
AnswerA

Correct. Low pps rate can drop OSPF hellos, causing neighbor loss.

Why this answer

CoPP policies can affect control plane traffic. If the rate-limit is too low (e.g., 100 pps) and OSPF hello packets are sent at a higher rate (especially with fast hello), or if the policy drops packets due to burst, the OSPF neighbor may time out. Additionally, the default class may drop traffic not explicitly matched.

36
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- R1# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 5 Misses: 0 CEF Translated packets: 5, CEF Punted packets: 0 Expired translations: 0 Based on this output, which statement is correct?

A.Static NAT is configured for host 10.0.0.10 to 192.0.2.10.
B.Dynamic NAT is configured with overload.
C.The NAT pool is exhausted.
D.PAT is translating multiple hosts to the same global address.
AnswerA

The translation shows a static mapping (no protocol, and statistics confirm static).

Why this answer

The output shows a single static NAT translation. The statistics confirm 1 static translation and 0 dynamic. This is a simple static NAT mapping.

37
MCQhard

An engineer configures NAT overload (PAT) on a router to translate internal addresses to a single public IP. Users can browse the web, but some applications that use non-standard ports fail. Which is the most likely explanation?

A.The application uses protocols that do not have port numbers, such as GRE, and PAT cannot handle them.
B.The NAT pool is exhausted.
C.The inside interface is not configured correctly.
D.The outside interface has a different MTU.
AnswerA

Correct. PAT requires port numbers; non-TCP/UDP protocols fail.

Why this answer

PAT uses port numbers to differentiate translations. Some applications use protocols that do not have port numbers (e.g., GRE, IPsec ESP) or use ports that conflict with NAT's own port allocation. Additionally, if the application uses embedded IP addresses or ports (e.g., FTP, SIP), PAT may not translate them correctly without ALG support.

38
MCQhard

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Users report that some websites load slowly or partially. Router R1 shows: show ip nat statistics: Total active translations: 65535 (0 static, 65535 dynamic; 65535 extended). The NAT pool is exhausted. What is the root cause?

A.Reduce the NAT timeout values using ip nat translation timeout and ip nat translation tcp-timeout.
B.Increase the access-list 100 to include more internal hosts.
C.Change the NAT to use a pool of public IPs instead of overload.
D.Clear the NAT table with clear ip nat translation * periodically.
AnswerA

Shorter timeouts free up entries faster, preventing exhaustion.

Why this answer

The NAT translation table is full (65535 entries, the maximum for PAT), meaning no new translations can be created. This can cause partial loading as some connections fail. The root cause is likely that NAT timeouts are too long (default 24 hours for TCP) or there is a DoS attack generating many connections.

The correct fix is to reduce timeouts or increase the number of available ports by using multiple public IPs.

39
MCQhard

A network engineer runs the following command to debug NAT with route maps: R1# debug ip nat policy NAT: policy: match ip address 100 NAT: policy: match ip address 100 NAT: policy: match ip address 100 NAT: policy: route-map RM-NAT permit 10 match ip address 100 set ip next-hop 10.0.0.1 What does this output indicate?

A.NAT is using a route map to redirect traffic for translation.
B.The route map is blocking all traffic.
C.NAT is not configured.
D.The route map is used for routing, not NAT.
AnswerA

Policy NAT uses route maps to match and redirect traffic.

Why this answer

The debug shows that a route map is being used for NAT policy-based routing. The 'set ip next-hop' indicates traffic is being redirected, possibly for NAT purposes.

40
MCQmedium

Which of the following is true regarding the default behavior of NAT in Cisco IOS when handling ICMP traffic?

A.ICMP traffic is not translated by NAT unless explicitly configured.
B.ICMP NAT entries use the same timeout as TCP entries by default.
C.ICMP NAT entries timeout after 60 seconds by default.
D.ICMP NAT entries are permanent and do not time out.
AnswerC

Correct. The default timeout for ICMP NAT entries is 60 seconds in Cisco IOS.

Why this answer

Cisco IOS NAT translates ICMP traffic by default. ICMP query types (such as echo request/reply) are translated using the ICMP identifier field as a pseudo-port, and the default timeout for ICMP NAT entries is 60 seconds.

41
MCQmedium

Examine this configuration: interface GigabitEthernet0/0 ip address 10.0.0.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 198.51.100.1 255.255.255.0 ip nat outside ! ip nat inside source static tcp 10.0.0.10 80 198.51.100.10 8080 extendable Which statement is true?

A.All traffic from 10.0.0.10 is translated to 198.51.100.10.
B.Incoming traffic to 198.51.100.10:8080 is forwarded to 10.0.0.10:80.
C.The 'extendable' keyword is invalid for static NAT.
D.This translation will not work unless 'ip nat inside source list' is also configured.
AnswerB

Static NAT/PAT maps the outside address/port to the inside address/port bidirectionally.

Why this answer

This is a static NAT for TCP port 80 on inside host 10.0.0.10 to outside address 198.51.100.10 port 8080. The 'extendable' keyword allows multiple static translations to the same outside IP.

42
MCQeasy

What is the default timeout for NAT translation entries in Cisco IOS?

A.60 seconds
B.300 seconds
C.86400 seconds (24 hours)
D.Never expires
AnswerC

The default timeout for NAT entries is 24 hours.

Why this answer

The default timeout for dynamic NAT translations is 24 hours (86400 seconds). This can be changed with the 'ip nat translation timeout' command.

43
Multi-Selectmedium

Which TWO commands would a network engineer use to verify NAT translations and their statistics on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show ip nat translations
B.show ip nat statistics
C.show ip nat verbose
D.show running-config | include nat
E.debug ip nat
AnswersA, B

This command lists all current NAT/PAT translations, including inside local, inside global, outside local, and outside global addresses.

Why this answer

The show ip nat translations command displays active NAT/PAT translation entries, while show ip nat statistics provides counters and configuration details. The other commands either do not exist or serve different purposes.

44
MCQeasy

Which statement accurately describes the behavior of the ip nat inside source static command when configuring static NAT for a single inside host?

A.It dynamically allocates the global address from a pool and removes the entry after an idle timeout.
B.It creates a permanent mapping that remains in the NAT table until the configuration is removed.
C.It requires the use of an access list to define which traffic is translated.
D.It translates only TCP and UDP traffic by default.
AnswerB

Correct. Static NAT entries are permanent and do not age out.

Why this answer

The ip nat inside source static command creates a permanent one-to-one mapping between an inside local IP address and an inside global IP address. This translation is always present in the NAT table and does not time out.

45
Multi-Selecthard

Which THREE symptoms indicate that NAT is misconfigured or failing on a Cisco router? (Choose THREE.)

Select 3 answers
A.Inside hosts can ping the outside interface IP but cannot reach hosts beyond it.
B.Traffic flows in one direction only (e.g., inside-to-outside works, but return traffic fails).
C.The show ip nat translations output shows many translations with the same inside global address but different ports, and new connections fail.
D.The router's CPU utilization is high due to BGP process.
E.The show ip route command shows a default route pointing to the ISP next hop.
AnswersA, B, C

This often indicates that NAT is not translating the source address for packets going out, or the return traffic is not being untranslated.

Why this answer

Common NAT failure symptoms include: inability to ping from inside to outside (no translation), asymmetric routing causing one-way traffic, and translation table exhaustion. The other options describe unrelated issues.

46
MCQhard

Which of the following is a limitation of NAT as defined in RFC 2663?

A.NAT cannot translate UDP traffic.
B.NAT is incompatible with TCP traffic.
C.NAT breaks end-to-end IP connectivity and can interfere with application-layer protocols.
D.NAT requires all traffic to be encrypted.
AnswerC

Correct. This is a well-known limitation of NAT as per RFC 2663.

Why this answer

RFC 2663 describes NAT and its limitations. One key limitation is that NAT breaks end-to-end IP connectivity because it modifies IP addresses and possibly port numbers in packets, which can interfere with protocols that embed IP addresses in the payload (e.g., FTP, SIP).

47
MCQmedium

Given this configuration: ip nat pool GLOBAL 203.0.113.1 203.0.113.10 prefix-length 28 ip nat inside source list 10 pool GLOBAL overload access-list 10 permit 10.0.0.0 0.255.255.255 What is the effect?

A.All inside hosts are translated to the first pool address only.
B.Each inside host gets a unique pool address without port translation.
C.Inside hosts matching ACL 10 are translated to addresses in the pool using PAT.
D.The prefix-length 28 is invalid; a netmask must be used instead.
AnswerC

This correctly describes the configuration: dynamic NAT with overload.

Why this answer

This uses a pool of addresses with PAT (overload). Inside hosts matching ACL 10 are translated to one of the pool addresses with port multiplexing.

48
MCQhard

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 192.0.2.10:1234 10.0.0.10:1234 203.0.113.5:53 203.0.113.5:53 tcp 192.0.2.10:5678 10.0.0.10:5678 198.51.100.20:80 198.51.100.20:80 --- 192.0.2.11 10.0.0.11 --- --- R1# show ip nat statistics Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 100 Misses: 0 CEF Translated packets: 100, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 3 map-id 1 overload [Id] ip nat inside source list ACL1 pool POOL1 overload refcount 3 Based on this output, what is the problem?

A.The third translation is not using PAT, indicating a possible ACL or route-map misconfiguration.
B.The pool is exhausted because 192.0.2.10 is used twice.
C.The outside interface is misconfigured as inside.
D.The NAT translations are all static.
AnswerA

The overload configuration should create PAT entries with protocol/port. The third entry without protocol suggests the traffic from 10.0.0.11 is not being matched by the same ACL or is using a different pool.

Why this answer

The output shows two PAT translations (UDP and TCP) for 10.0.0.10 using the same inside global address 192.0.2.10, plus a dynamic NAT translation for 10.0.0.11 without protocol/port. The problem is that the third translation (10.0.0.11) is not using PAT (no port), which could indicate a misconfiguration or that ACL1 does not match traffic from 10.0.0.11 properly, or that the pool is misapplied. However, the key clue is that the third entry lacks a protocol, meaning it is a basic NAT translation, not PAT, which is inconsistent with the overload configuration.

This could be due to a route-map or ACL issue.

49
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP on a router. After a few minutes, the router's CPU spikes and routes start flapping. Which is the most likely explanation?

A.The redistribution is creating a routing loop because there is no route tagging or filtering to prevent re-redistribution.
B.The seed metric is not configured, so the routes are not redistributed.
C.The administrative distance is set too low, causing the router to prefer the wrong route.
D.The OSPF process ID is the same on both routers.
AnswerA

Correct. Without tagging, routes can loop between protocols.

Why this answer

Mutual redistribution without route tagging can cause a routing loop where a route redistributed from OSPF into EIGRP is then redistributed back into OSPF with a different metric, causing the router to prefer the redistributed route and create a loop. This leads to route flapping and CPU spikes as the router continuously updates.

50
MCQmedium

What is the default timeout value for a NAT translation entry that is not using Port Address Translation (PAT) in Cisco IOS?

A.60 seconds
B.300 seconds
C.86400 seconds
D.3600 seconds
AnswerC

Correct. Basic NAT translations default to 24 hours (86400 seconds) in Cisco IOS.

Why this answer

The default timeout for a basic NAT translation (no PAT) is 86400 seconds (24 hours). This is defined in RFC 2663 and implemented as the default in Cisco IOS.

51
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- R1# show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 0 Misses: 10 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 2 map-id 1 [Id] ip nat inside source list ACL1 pool POOL1 refcount 2 Based on this output, what is the problem?

A.NAT translations exist but no packets are being translated (0 hits), indicating a possible routing or ACL issue.
B.The NAT pool is exhausted.
C.PAT is enabled but not working.
D.The inside and outside interfaces are reversed.
AnswerA

The 0 hits with 10 misses suggest that translations are created but no successful data flow; packets are missing or not returning.

Why this answer

The output shows 2 dynamic translations but 0 hits and 10 misses. This indicates that NAT translations are being created (perhaps due to control plane traffic or initial packets), but no data packets are being translated successfully. The misses suggest that packets are arriving that do not match existing translations, and new translations are being created, but hits are zero, meaning no return traffic or successful data flow.

This could be due to routing issues, ACL misconfiguration, or asymmetric routing.

52
MCQhard

In a multi-VRF environment, Router R1 is leaking routes between VRF A and VRF B using route-target import/export. Hosts in VRF A can ping hosts in VRF B, but traffic from VRF B to VRF A fails when NAT is applied on the VRF A egress interface. Configuration: ip nat inside source list 100 interface GigabitEthernet0/1 vrf A overload. Router R1 shows: show ip nat translations vrf A: no entries. What is the root cause?

A.The NAT command is missing the 'vrf A' keyword; it should be ip nat inside source list 100 interface GigabitEthernet0/1 vrf A overload.
B.The route leaking is misconfigured; use route-map to filter routes.
C.The access-list 100 is blocking VRF B traffic.
D.The interface GigabitEthernet0/1 is not in VRF A.
AnswerA

Adding the VRF keyword ensures NAT operates within the correct VRF context.

Why this answer

NAT configuration for VRF A requires the 'vrf' keyword to be specified in the NAT command. Without it, NAT does not operate within the VRF context. The missing 'vrf A' in the NAT configuration means that traffic from VRF B to VRF A is not translated, causing asymmetric routing or unreachability.

53
MCQmedium

A network engineer is troubleshooting connectivity from a host inside a corporate network to a public web server. The host has IP 10.1.1.10/24, and the router's outside interface is 203.0.113.1/24. The engineer configured a dynamic NAT pool (203.0.113.10-203.0.113.20) and an access list permitting 10.1.1.0/24. However, traffic from the host fails. A 'show ip nat translations' reveals no translations. What is the most likely cause?

A.The NAT pool is exhausted.
B.The 'ip nat inside' and 'ip nat outside' commands are misapplied on the interfaces.
C.The access list used in the NAT configuration does not match the source IP of the host.
D.The host's default gateway is not the router's inside interface.
AnswerC

Correct because dynamic NAT requires the ACL to match the source; if the ACL is misconfigured (e.g., denies the subnet), no translations are created.

Why this answer

If the access list does not match the source IP of the traffic, NAT will not create translations. The engineer must verify that the ACL permits the correct source subnet.

54
MCQmedium

What is the default maximum number of NAT translations that can be created in Cisco IOS?

A.512 translations
B.1024 translations
C.Unlimited, limited only by available memory
D.4096 translations
AnswerC

Correct. Cisco IOS allows NAT translations up to the memory capacity of the device.

Why this answer

Cisco IOS does not have a fixed default maximum number of NAT translations; it is limited by available memory. However, the ip nat translation max-entries command can be used to set a limit. Without configuration, the limit is dynamic based on system resources.

55
MCQmedium

A network engineer is troubleshooting PAT (overload) on a Cisco router. The inside network uses 192.168.1.0/24, and the outside interface has IP 198.51.100.1. The engineer configured 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. Traffic from inside hosts works initially, but after a few minutes, new connections fail. 'Show ip nat translations' shows many entries with the same outside global IP but different ports. 'Show ip nat statistics' indicates that the number of translations is near 500. What is the most likely cause?

A.The NAT pool is not configured with overload.
B.The outside interface is flapping, causing translations to be cleared.
C.The router has run out of available port numbers for PAT.
D.The access list is denying some inside hosts.
AnswerC

Correct because PAT uses a limited port range (usually 1024-65535), and with many sessions, ports can be exhausted, preventing new translations.

Why this answer

PAT uses port numbers to multiplex many inside hosts to a single outside IP. Each TCP/UDP session consumes a port; when the port range is exhausted, new translations cannot be created.

56
Multi-Selecthard

Which TWO statements about the 'ip nat outside source' feature are true? (Choose TWO.)

Select 2 answers
A.It translates the source IP address of packets arriving on an interface configured as 'ip nat outside'.
B.It can be used to map an external public IP to an internal private IP so that inside routers can route to the private address.
C.It requires the 'overload' keyword to perform Port Address Translation.
D.It translates the destination IP address of packets leaving the inside network.
E.The translation is unidirectional; return traffic is not translated back.
AnswersA, B

Correct. The command translates the source address of outside-originated traffic.

Why this answer

'ip nat outside source' translates the source IP of packets coming from the outside network. It is typically used to map external addresses to a private range for internal routing. The translation is bidirectional (return traffic is translated back).

This command does not affect destination IPs and does not require an overload keyword.

57
MCQhard

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 192.0.2.10:80 10.0.0.10:80 203.0.113.5:12345 203.0.113.5:12345 tcp 192.0.2.10:80 10.0.0.11:80 203.0.113.5:67890 203.0.113.5:67890 R1# show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 2 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 50 Misses: 0 CEF Translated packets: 50, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat inside source list ACL1 interface GigabitEthernet0/1 overload refcount 2 Based on this output, what is the problem?

A.PAT is not assigning unique source ports; both translations use port 80, which will cause conflicts.
B.The NAT pool is misconfigured because it uses the interface address.
C.The inside and outside interfaces are swapped.
D.Static NAT is interfering with dynamic NAT.
AnswerA

In PAT, the router should change the source port to a unique value. Both translations showing the same inside global port 80 indicates a problem.

Why this answer

The output shows two inside hosts (10.0.0.10 and 10.0.0.11) both using the same inside global address 192.0.2.10 (the interface address) and the same port 80. This is a problem because PAT should assign unique source ports for each translation. Both translations show the same inside global port (80), which is incorrect; PAT should use different ports.

This indicates a misconfiguration or a bug, as PAT normally changes the source port to a unique value. The correct answer is that PAT is not assigning unique ports, which will cause conflicts.

58
MCQmedium

Which TCP flag combination triggers the NAT translation timeout to change from the default to the 'ip nat translation tcp-timeout' value?

A.SYN
B.FIN or RST
C.ACK
D.URG
AnswerB

FIN and RST indicate connection termination, causing the NAT entry to expire quickly.

Why this answer

When a TCP connection is closed, the FIN or RST flag causes the NAT entry to use the shorter tcp-timeout (default 60 seconds) instead of the general timeout.

59
MCQmedium

A network engineer runs the following command to verify NAT translations: R1# show ip nat translations verbose Pro Inside global Inside local Outside local Outside global --- 10.2.2.2 10.1.1.1 192.168.1.1 192.168.1.1 create 00:00:15, use 00:00:05, flags: extended, timing-out What does the 'extended' flag indicate?

A.The translation is for a single port only.
B.The translation includes port information, typical of PAT.
C.The translation is static and never times out.
D.The translation is for a VPN tunnel.
AnswerB

Extended NAT entries include protocol and port numbers for PAT.

Why this answer

The 'extended' flag indicates that this is a PAT (Port Address Translation) entry, using port numbers for multiplexing.

60
MCQmedium

In Cisco IOS, what is the default timeout for TCP NAT translations when the TCP session is idle?

A.60 seconds
B.300 seconds
C.3600 seconds
D.86400 seconds
AnswerD

Correct. The default TCP NAT translation timeout is 24 hours (86400 seconds) in Cisco IOS.

Why this answer

The default TCP NAT translation timeout in Cisco IOS is 86400 seconds (24 hours) when no data is being transferred. However, if the TCP session is established and idle, the timeout is 60 minutes (3600 seconds) after the first packet. The 24-hour value applies to the overall translation entry.

61
MCQhard

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal hosts can access the internet, but traffic to a specific external server at 203.0.113.200 is being dropped. Router R1 shows: show ip nat statistics: Total active translations: 1000. Debug ip nat: NAT: s=192.168.1.1->203.0.113.1, d=203.0.113.200 [0]. The external server shows no received packets. What is the root cause?

A.The router does not have a route to 203.0.113.200; configure a default route or specific route.
B.The access-list 100 is blocking the destination.
C.The NAT translation is failing due to port exhaustion.
D.The external server is blocking the source IP.
AnswerA

Without a route, the packet is dropped after NAT.

Why this answer

The debug shows successful NAT translation, but the packet is still dropped. This could be due to a route issue: the router may not have a route to 203.0.113.200, or the next-hop is unreachable. The correct fix is to check the routing table for the destination.

62
MCQeasy

In the context of NAT and PAT, what is the purpose of the ip nat translation timeout command?

A.It sets the timeout for static NAT entries.
B.It configures the timeout for all dynamic NAT translations globally.
C.It sets the timeout only for TCP translations.
D.It configures the timeout for translations on a specific interface.
AnswerB

Correct. This command sets the global timeout for dynamic NAT entries.

Why this answer

The ip nat translation timeout command globally modifies the timeout value for dynamic NAT translations. It affects all protocols unless overridden by protocol-specific timers (e.g., ip nat translation udp-timeout).

63
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 203.0.113.5 203.0.113.5 --- 192.0.2.11 10.0.0.11 203.0.113.5 203.0.113.5 R1# show ip nat statistics Total active translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 20 Misses: 0 CEF Translated packets: 20, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 2 map-id 1 [Id] ip nat inside source list ACL1 pool POOL1 refcount 2 Based on this output, which statement is correct?

A.NAT is configured without PAT; each inside host uses a unique global address.
B.PAT is enabled, but only two translations are active.
C.The pool is exhausted because two addresses are used.
D.Static NAT is configured for both hosts.
AnswerA

The statistics show 0 extended translations, and the mapping lacks 'overload'. The translations show different inside global addresses for each inside local.

Why this answer

The output shows dynamic NAT without overload (no 'overload' keyword in the mapping, and 0 extended translations). Each inside host gets a unique inside global address. This is basic NAT, not PAT.

The correct answer is that NAT is working without PAT.

64
MCQeasy

A network engineer runs the following command to debug NAT with access lists: R1# debug ip nat access-list 100 NAT: access list 100 matched ip 10.1.1.1 -> 192.168.1.1 NAT: access list 100 matched ip 10.1.1.2 -> 192.168.1.1 NAT: access list 100 matched ip 10.1.1.3 -> 192.168.1.1 NAT: access list 100 matched ip 10.1.1.4 -> 192.168.1.1 What does this output indicate?

A.The access list is correctly matching traffic for NAT.
B.NAT is failing because translations are not being created.
C.The access list is misconfigured and blocking traffic.
D.The inside interface is not configured.
AnswerA

The debug confirms the access list is being hit by traffic.

Why this answer

The debug shows that traffic from multiple inside hosts is matching the access list, which is the first step in NAT. It does not show whether translations are created.

65
Multi-Selecthard

Which TWO statements correctly describe the behavior of NAT with route maps and ACLs when using the 'ip nat inside source route-map' feature? (Choose TWO.)

Select 2 answers
A.The route map can use 'match ip address' to select traffic for translation based on source IP.
B.The route map can use 'match interface' to translate only when traffic exits a specific interface.
C.The route map can use 'match ip next-hop' to control translation based on the next-hop IP.
D.The route map is evaluated once per session at the creation of the translation entry.
E.The route map can use 'set ip next-hop' to change the destination of translated packets.
AnswersA, B

Correct. 'match ip address' references an ACL that selects source IPs for NAT.

Why this answer

Route maps used with NAT allow granular control based on match criteria. The 'match ip address' references an ACL for source IP, and the 'match interface' can be used to match the outgoing interface. The route map is evaluated per packet, not per session, and the 'ip nat inside source' command does not support 'match ip next-hop' or 'set ip next-hop'.

66
MCQhard

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface connected to a network with asymmetric routing. Users report intermittent connectivity issues. Which is the most likely explanation?

A.Asymmetric routing causes packets to arrive on an interface that is not the best return path, so uRPF drops them.
B.The uRPF configuration is missing the 'allow-default' option.
C.The routing table does not have a route for the source IP.
D.The interface has multiple IP addresses.
AnswerA

Correct. Strict mode requires symmetric routing.

Why this answer

Strict mode uRPF checks that the source IP of incoming packets has a route back through the same interface. With asymmetric routing, packets may arrive on an interface that is not the best return path, causing uRPF to drop them. Loose mode would allow asymmetric routing but still check for a route.

67
MCQhard

A network engineer is troubleshooting NAT for a web server that is reachable from the internet via a static NAT mapping 203.0.113.20 to 10.0.0.20. The server responds to HTTP requests, but the engineer cannot SSH to the server from the internet. 'Show ip nat translations' shows the static entry. The router's ACL on the outside interface permits TCP port 22 to 203.0.113.20. What is the most likely cause?

A.The server's default gateway is not the router's inside interface.
B.The router's NAT is not translating the return traffic for SSH because the server sends packets with a different source IP.
C.The SSH service is not running on the server.
D.The router's ACL is blocking SSH traffic despite the permit statement.
AnswerB

Correct because if the server has multiple IPs or a different source IP for SSH responses (e.g., from a loopback), the router may not translate that source IP back to 203.0.113.20, breaking the session.

Why this answer

Static NAT translates the destination IP, but if the server's response uses a different source IP (e.g., due to multiple interfaces or routing), the return traffic may not be translated back. However, a common issue is that the server's firewall or local ACL blocks SSH, or the router's NAT is not translating the return traffic correctly.

68
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global udp 192.0.2.10:10000 10.0.0.10:10000 203.0.113.5:53 203.0.113.5:53 udp 192.0.2.10:10001 10.0.0.11:10000 203.0.113.5:53 203.0.113.5:53 udp 192.0.2.10:10002 10.0.0.12:10000 203.0.113.5:53 203.0.113.5:53 R1# show ip nat statistics Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 150 Misses: 0 CEF Translated packets: 150, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat inside source list ACL1 interface GigabitEthernet0/1 overload refcount 3 Based on this output, which statement is correct?

A.PAT is working correctly; multiple inside hosts share the same global address with unique ports.
B.The NAT pool is exhausted because all addresses are used.
C.Static NAT is configured for DNS traffic.
D.The inside and outside interfaces are swapped.
AnswerA

The translations show different source ports for each inside host, and the mapping uses interface overload. Hits indicate successful translation.

Why this answer

The output shows three PAT translations using the interface address (192.0.2.10) with unique source ports (10000, 10001, 10002). This is correct PAT operation. The statistics show hits and no misses, indicating proper function.

69
Multi-Selectmedium

Which TWO configuration steps are required to implement static NAT on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.Configure ip nat inside source static <inside-local> <inside-global> in global configuration mode.
B.Apply the ip nat inside command on the interface facing the internal network.
C.Apply the ip nat outside command on the interface facing the internal network.
D.Configure an access list to match the inside local addresses for translation.
E.Enable the ip nat service command globally to activate NAT.
AnswersA, B

This command creates a permanent mapping between a private inside address and a public global address.

Why this answer

Static NAT requires defining a one-to-one mapping between inside local and inside global addresses, and then applying the ip nat inside and ip nat outside commands on the respective interfaces.

70
MCQhard

An engineer configures an IPsec site-to-site VPN between two routers. The tunnel comes up, but traffic is not encrypted. Which is the most likely explanation?

A.The crypto ACL does not match the traffic that is being sent.
B.The transform set uses ESP with null encryption.
C.The ISAKMP policy has the wrong authentication method.
D.The pre-shared key is incorrect.
AnswerA

Correct. Interesting traffic must match the ACL for encryption.

Why this answer

IPsec encryption requires interesting traffic to trigger the tunnel. If the crypto ACL (access list) defining interesting traffic does not match the actual traffic (e.g., wrong source/destination or protocol), the traffic will be sent in the clear. Additionally, if the crypto map is not applied to the correct interface, encryption may not occur.

71
MCQhard

Router R1 is configured with ip nat inside source list 100 interface GigabitEthernet0/1 overload. Internal hosts can access the internet, but traffic to a specific external server at 203.0.113.100 is being translated to a different source IP than expected. Router R1 shows: show ip nat translations: Pro Inside global Inside local Outside local Outside global --- 10.1.1.1 192.168.1.1 203.0.113.100 203.0.113.100. The server logs show connections from 10.1.1.1 instead of 203.0.113.1. What is the root cause?

A.The interface GigabitEthernet0/1 has a private IP address; configure a public IP or use a NAT pool.
B.The access-list 100 is incorrectly matching traffic.
C.The server is responding to the wrong IP due to asymmetric routing.
D.The NAT configuration is missing the 'overload' keyword.
AnswerA

If the interface IP is private, NAT will use that private IP, causing the issue.

Why this answer

The inside global address 10.1.1.1 is a private IP, indicating that the NAT is not translating to the public IP. This can happen if the interface GigabitEthernet0/1 has a private IP address or if there is a route-map that selects a different source. The correct fix is to ensure the interface has a public IP or use a NAT pool with public addresses.

72
MCQmedium

According to RFC 2663, what is the term for the process of translating both the source and destination IP addresses in a packet?

A.Static NAT
B.Twice NAT
C.PAT
D.Double NAT
AnswerB

Twice NAT translates both source and destination addresses.

Why this answer

RFC 2663 defines 'Twice NAT' as the process where both source and destination addresses are translated, typically used when address spaces overlap.

73
MCQhard

A network engineer runs the following command to troubleshoot PAT exhaustion: R1# show ip nat statistics Total active translations: 1024 (0 static, 1024 dynamic; 1024 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 50000 Misses: 10 CEF Translated packets: 45000, CEF Punted packets: 5000 Expired translations: 2000 Dynamic mappings: -- Inside Source [Id: 1] access-list NAT permit ip 10.0.0.0 0.255.255.255 any refcount 1024, pool MyPool pool MyPool: netmask 255.255.255.240 start 203.0.113.1 end 203.0.113.14 type generic, total addresses 14, allocated 14 (100%), misses 0 What is the most likely issue?

A.The pool is exhausted; PAT is using all addresses, but port exhaustion may occur.
B.The access list is misconfigured, blocking traffic.
C.The outside interface is down.
D.Static translations are missing.
AnswerA

All 14 addresses are allocated, meaning PAT is using them, but with 1024 translations, ports may be running out.

Why this answer

The pool has only 14 addresses, and all are allocated (100%). With 1024 active translations, this indicates PAT is using all addresses and may be running out of ports.

74
MCQmedium

Consider the following partial configuration on a Cisco IOS-XE router: interface GigabitEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/1 ip address 203.0.113.1 255.255.255.0 ip nat outside ! ip nat inside source list 1 interface GigabitEthernet0/1 overload access-list 1 permit 192.168.1.0 0.0.0.255 What is the effect of this configuration?

A.All traffic from 192.168.1.0/24 is translated to 203.0.113.1 using PAT.
B.Only traffic from 192.168.1.1 is translated to 203.0.113.1 using PAT.
C.Traffic is translated using static NAT to 203.0.113.1.
D.The configuration is incomplete; a NAT pool is required for dynamic translation.
AnswerA

The 'overload' keyword enables PAT, and the ACL matches the inside network.

Why this answer

The configuration enables NAT overload (PAT) for the 192.168.1.0/24 network, translating all inside addresses to the IP of GigabitEthernet0/1 (203.0.113.1) with port multiplexing.

75
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- R1# show ip nat statistics Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source [Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240 refcount 1 map-id 1 [Id] ip nat inside source list ACL1 pool POOL1 refcount 1 Based on this output, what is the problem?

A.The NAT translation exists but no traffic is being translated (0 hits, 0 misses), indicating a possible idle translation or no matching traffic.
B.The NAT pool is exhausted.
C.PAT is misconfigured.
D.The inside and outside interfaces are reversed.
AnswerA

The translation is present but no packets have been processed. This could be a stale entry or lack of traffic.

Why this answer

The output shows 1 dynamic translation but 0 hits and 0 misses. This indicates that a translation entry exists (perhaps from a previous session or manual creation), but no packets have been translated. The 0 hits and 0 misses suggest that no traffic is flowing through the NAT.

This could be due to the translation being stale or no traffic matching the ACL.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only NAT and PAT questions.