Back to Cisco CCNP ENARSI 300-410 questions

Scenario-based practice

NAT and PAT Configuration Scenarios

Practise 300-410 NAT and PAT questions covering address translation types, inside/outside interface roles, static vs dynamic vs PAT, and troubleshooting missing or incorrect translations.

15
scenario questions
300-410
exam code
Cisco
vendor

Scenario guide

How to approach nat and pat configuration scenarios

NAT and PAT questions cover static NAT (one-to-one), dynamic NAT (pool-based), and PAT/overload (many-to-one using port numbers). The CCNA asks you to read NAT table output, fix misconfigured NAT, and match the right NAT type to a scenario.

Quick answer

NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.

Static NAT, dynamic NAT and PAT behaviour.

Inside local, inside global, outside local and outside global address meanings.

How NAT affects connectivity between private networks and public destinations.

How to troubleshoot NAT rules, ACL matches and interface direction.

Related practice questions

Related 300-410 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Study the full EIGRP explanation →

A DMVPN network uses IPv6 with EIGRP as the routing protocol. Spoke routers R2 and R3 are behind NAT and use mGRE tunnels. The hub R1 has an IPv6 ACL applied inbound on the tunnel interface that permits only EIGRP and denies all other IPv6 traffic. Spoke-to-spoke traffic fails even though direct tunnels are established. R2 shows 'ping 2001:db8:3::1 source loopback0' fails, but 'ping 2001:db8:1::1' (hub) succeeds. What is the root cause?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting connectivity from a host inside a corporate network to a public web server. The host has IP 10.1.1.10/24, and the router's outside interface is 203.0.113.1/24. The engineer configured a dynamic NAT pool (203.0.113.10-203.0.113.20) and an access list permitting 10.1.1.0/24. However, traffic from the host fails. A 'show ip nat translations' reveals no translations. What is the most likely cause?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting PAT (overload) on a Cisco router. The inside network uses 192.168.1.0/24, and the outside interface has IP 198.51.100.1. The engineer configured 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. Traffic from inside hosts works initially, but after a few minutes, new connections fail. 'Show ip nat translations' shows many entries with the same outside global IP but different ports. 'Show ip nat statistics' indicates that the number of translations is near 500. What is the most likely cause?

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

An engineer configures static NAT on a router to map a public IP 203.0.113.5 to an internal server 10.0.0.5. The configuration includes 'ip nat inside source static 10.0.0.5 203.0.113.5'. The server is reachable from the outside, but the server cannot initiate connections to the outside network. 'Show ip nat translations' shows the static entry. What is the most likely cause?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting NAT for a VoIP phone that uses SIP. The phone is at 192.168.2.10, and the router performs PAT to the outside interface 198.51.100.1. The phone can register with the SIP server, but calls fail after 30 seconds. The engineer notices that the SIP signaling includes the phone's private IP in the SDP body. What is the most likely cause?

Question 6mediummultiple choice
Study the full ACL explanation →

An engineer configures NAT on a router with 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. The inside hosts are 10.0.0.0/24, and the outside interface is 203.0.113.1. Traffic works for most hosts, but one host at 10.0.0.50 cannot access the internet. 'Show ip nat translations' shows no entry for this host. 'Show access-lists' shows ACL 1 permits 10.0.0.0 0.0.0.255. What is the most likely cause?

Question 7hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting NAT for a VPN tunnel. The router has a static NAT rule 'ip nat inside source static 10.0.0.10 203.0.113.10' for a server. The VPN traffic from the remote site to 203.0.113.10 is being NATed to 10.0.0.10, but the return traffic from the server to the remote site is not being translated back. The engineer sees that the server sends packets with source 10.0.0.10 to the remote site's public IP. What should the engineer do to fix this?

Question 8mediummultiple choice
Study the full ACL explanation →

An engineer configures NAT overload on a router. The inside network uses 172.16.0.0/16, and the outside interface is 198.51.100.1. The engineer uses 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. ACL 1 permits 172.16.0.0 0.0.255.255. Traffic works, but the engineer notices that the router's CPU utilization is high, and 'show ip nat translations' shows thousands of entries. What is the most likely cause?

Question 9hardmultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting NAT for a web server that is reachable from the internet via a static NAT mapping 203.0.113.20 to 10.0.0.20. The server responds to HTTP requests, but the engineer cannot SSH to the server from the internet. 'Show ip nat translations' shows the static entry. The router's ACL on the outside interface permits TCP port 22 to 203.0.113.20. What is the most likely cause?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

An engineer configures NAT on a router with 'ip nat inside source list 1 pool POOL overload' where POOL contains 203.0.113.1-203.0.113.5. The inside hosts are 10.0.0.0/24. Traffic works, but the engineer notices that some hosts are assigned the same public IP and port, causing conflicts. 'Show ip nat translations' shows entries with the same inside global IP and port for different inside local hosts. What is the most likely cause?

Question 11mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- ---

R1# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 45 Misses: 0 CEF Translated packets: 45, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 3 map-id 1 overload

[Id] ip nat inside source list ACL1 pool POOL1 overload

refcount 3

Based on this output, which statement is correct?

Question 12hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global udp 192.0.2.10:1234 10.0.0.10:1234 203.0.113.5:53 203.0.113.5:53 tcp 192.0.2.10:5678 10.0.0.10:5678 198.51.100.20:80 198.51.100.20:80 --- 192.0.2.11 10.0.0.11 --- ---

R1# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 100 Misses: 0 CEF Translated packets: 100, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 3 map-id 1 overload

[Id] ip nat inside source list ACL1 pool POOL1 overload

refcount 3

Based on this output, what is the problem?

Question 13mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 203.0.113.5 203.0.113.5 --- 192.0.2.11 10.0.0.11 203.0.113.5 203.0.113.5

R1# show ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 20 Misses: 0 CEF Translated packets: 20, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 2 map-id 1

[Id] ip nat inside source list ACL1 pool POOL1

refcount 2

Based on this output, which statement is correct?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

Given this partial configuration:

ip nat pool MYPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
ip nat inside source list 1 pool MYPOOL
access-list 1 permit 192.168.1.0 0.0.0.255

What is the effect?

Question 15mediummulti select
Read the full NAT/PAT explanation →

Which TWO commands would a network engineer use to verify NAT translations and their statistics on a Cisco IOS router? (Choose TWO.)

These 300-410 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 300-410 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.