300-410 · topic practice

NAT and PAT practice questions

Practise 300-410 NAT and PAT questions covering address translation types, inside/outside interface roles, static vs dynamic vs PAT, and troubleshooting missing or incorrect translations.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: NAT and PAT

What the exam tests

What to know about NAT and PAT

NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.

Static NAT, dynamic NAT and PAT behaviour.

Inside local, inside global, outside local and outside global address meanings.

How NAT affects connectivity between private networks and public destinations.

How to troubleshoot NAT rules, ACL matches and interface direction.

Why learners struggle

Why NAT and PAT questions are commonly missed

NAT questions are missed when learners confuse the four address types (inside local, inside global, outside local, outside global) or misapply the interface direction. A translation rule can look correct but still fail if the ACL, interface, or direction is wrong.

  • ·Inside local vs inside global — inside local is the private source, inside global is the translated public address
  • ·PAT overloads — many sources share one public IP using unique port numbers
  • ·Interface direction — ip nat inside and ip nat outside must be on the correct interfaces
  • ·Static NAT vs dynamic NAT vs PAT — each serves a different use case
  • ·The NAT ACL identifies traffic to translate, not traffic to permit or deny
  • ·A missing translation can look like a routing problem if the interfaces are misconfigured

Watch out for

Common NAT and PAT exam traps

  • PAT allows many inside hosts to share one public address by using port numbers.
  • NAT rules depend on correct inside and outside interface configuration.
  • The ACL used for NAT identifies traffic to translate; it is not always a security filtering ACL.
  • Static NAT maps one private address to one public address, while PAT overloads translations.

Practice set

NAT and PAT questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting connectivity from a host inside a corporate network to a public web server. The host has IP 10.1.1.10/24, and the router's outside interface is 203.0.113.1/24. The engineer configured a dynamic NAT pool (203.0.113.10-203.0.113.20) and an access list permitting 10.1.1.0/24. However, traffic from the host fails. A 'show ip nat translations' reveals no translations. What is the most likely cause?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting PAT (overload) on a Cisco router. The inside network uses 192.168.1.0/24, and the outside interface has IP 198.51.100.1. The engineer configured 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. Traffic from inside hosts works initially, but after a few minutes, new connections fail. 'Show ip nat translations' shows many entries with the same outside global IP but different ports. 'Show ip nat statistics' indicates that the number of translations is near 500. What is the most likely cause?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

An engineer configures static NAT on a router to map a public IP 203.0.113.5 to an internal server 10.0.0.5. The configuration includes 'ip nat inside source static 10.0.0.5 203.0.113.5'. The server is reachable from the outside, but the server cannot initiate connections to the outside network. 'Show ip nat translations' shows the static entry. What is the most likely cause?

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting NAT for a VoIP phone that uses SIP. The phone is at 192.168.2.10, and the router performs PAT to the outside interface 198.51.100.1. The phone can register with the SIP server, but calls fail after 30 seconds. The engineer notices that the SIP signaling includes the phone's private IP in the SDP body. What is the most likely cause?

Question 5mediummultiple choice
Study the full ACL explanation →

An engineer configures NAT on a router with 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. The inside hosts are 10.0.0.0/24, and the outside interface is 203.0.113.1. Traffic works for most hosts, but one host at 10.0.0.50 cannot access the internet. 'Show ip nat translations' shows no entry for this host. 'Show access-lists' shows ACL 1 permits 10.0.0.0 0.0.0.255. What is the most likely cause?

Question 6hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting NAT for a VPN tunnel. The router has a static NAT rule 'ip nat inside source static 10.0.0.10 203.0.113.10' for a server. The VPN traffic from the remote site to 203.0.113.10 is being NATed to 10.0.0.10, but the return traffic from the server to the remote site is not being translated back. The engineer sees that the server sends packets with source 10.0.0.10 to the remote site's public IP. What should the engineer do to fix this?

Question 7mediummultiple choice
Study the full ACL explanation →

An engineer configures NAT overload on a router. The inside network uses 172.16.0.0/16, and the outside interface is 198.51.100.1. The engineer uses 'ip nat inside source list 1 interface GigabitEthernet0/0 overload'. ACL 1 permits 172.16.0.0 0.0.255.255. Traffic works, but the engineer notices that the router's CPU utilization is high, and 'show ip nat translations' shows thousands of entries. What is the most likely cause?

Question 8hardmultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting NAT for a web server that is reachable from the internet via a static NAT mapping 203.0.113.20 to 10.0.0.20. The server responds to HTTP requests, but the engineer cannot SSH to the server from the internet. 'Show ip nat translations' shows the static entry. The router's ACL on the outside interface permits TCP port 22 to 203.0.113.20. What is the most likely cause?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

An engineer configures NAT on a router with 'ip nat inside source list 1 pool POOL overload' where POOL contains 203.0.113.1-203.0.113.5. The inside hosts are 10.0.0.0/24. Traffic works, but the engineer notices that some hosts are assigned the same public IP and port, causing conflicts. 'Show ip nat translations' shows entries with the same inside global IP and port for different inside local hosts. What is the most likely cause?

Question 10mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- ---

R1# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 45 Misses: 0 CEF Translated packets: 45, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 3 map-id 1 overload

[Id] ip nat inside source list ACL1 pool POOL1 overload

refcount 3

Based on this output, which statement is correct?

Question 11hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global udp 192.0.2.10:1234 10.0.0.10:1234 203.0.113.5:53 203.0.113.5:53 tcp 192.0.2.10:5678 10.0.0.10:5678 198.51.100.20:80 198.51.100.20:80 --- 192.0.2.11 10.0.0.11 --- ---

R1# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 100 Misses: 0 CEF Translated packets: 100, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 3 map-id 1 overload

[Id] ip nat inside source list ACL1 pool POOL1 overload

refcount 3

Based on this output, what is the problem?

Question 12mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 203.0.113.5 203.0.113.5 --- 192.0.2.11 10.0.0.11 203.0.113.5 203.0.113.5

R1# show ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 20 Misses: 0 CEF Translated packets: 20, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 2 map-id 1

[Id] ip nat inside source list ACL1 pool POOL1

refcount 2

Based on this output, which statement is correct?

Question 13easymultiple choice
Read the full NAT/PAT explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- ---

R1# show ip nat statistics

Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 5 Misses: 0 CEF Translated packets: 5, CEF Punted packets: 0 Expired translations: 0

Based on this output, which statement is correct?

Question 14hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global tcp 192.0.2.10:80 10.0.0.10:80 203.0.113.5:12345 203.0.113.5:12345 tcp 192.0.2.10:80 10.0.0.11:80 203.0.113.5:67890 203.0.113.5:67890

R1# show ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 2 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 50 Misses: 0 CEF Translated packets: 50, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat inside source list ACL1 interface GigabitEthernet0/1 overload

refcount 2

Based on this output, what is the problem?

Question 15mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- ---

R1# show ip nat statistics

Total active translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 0 Misses: 10 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 2 map-id 1

[Id] ip nat inside source list ACL1 pool POOL1

refcount 2

Based on this output, what is the problem?

Question 16hardmultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- --- --- 192.0.2.11 10.0.0.11 --- --- --- 192.0.2.12 10.0.0.12 --- --- --- 192.0.2.13 10.0.0.13 --- --- --- 192.0.2.14 10.0.0.14 --- --- --- 192.0.2.15 10.0.0.15 --- --- --- 192.0.2.16 10.0.0.16 --- --- --- 192.0.2.17 10.0.0.17 --- --- --- 192.0.2.18 10.0.0.18 --- --- --- 192.0.2.19 10.0.0.19 --- --- --- 192.0.2.20 10.0.0.20 --- ---

R1# show ip nat statistics

Total active translations: 11 (0 static, 11 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 200 Misses: 0 CEF Translated packets: 200, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 11 map-id 1

[Id] ip nat inside source list ACL1 pool POOL1

refcount 11

Based on this output, what is the problem?

Question 17mediummultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global --- 192.0.2.10 10.0.0.10 --- ---

R1# show ip nat statistics

Total active translations: 1 (0 static, 1 dynamic; 0 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 0 Misses: 0 CEF Translated packets: 0, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat pool POOL1 192.0.2.10 192.0.2.20 netmask 255.255.255.240

refcount 1 map-id 1

[Id] ip nat inside source list ACL1 pool POOL1

refcount 1

Based on this output, what is the problem?

Question 18easymultiple choice
Study the full ACL explanation →

A network engineer runs the following command on Router R1:

R1# show ip nat translations

Pro Inside global Inside local Outside local Outside global udp 192.0.2.10:10000 10.0.0.10:10000 203.0.113.5:53 203.0.113.5:53 udp 192.0.2.10:10001 10.0.0.11:10000 203.0.113.5:53 203.0.113.5:53 udp 192.0.2.10:10002 10.0.0.12:10000 203.0.113.5:53 203.0.113.5:53

R1# show ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended) Outside interfaces: GigabitEthernet0/1 Inside interfaces: GigabitEthernet0/0 Hits: 150 Misses: 0 CEF Translated packets: 150, CEF Punted packets: 0 Expired translations: 0 Dynamic mappings: -- Inside Source

[Id] ip nat inside source list ACL1 interface GigabitEthernet0/1 overload

refcount 3

Based on this output, which statement is correct?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

Consider the following partial configuration on a Cisco IOS-XE router:

interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside

!

interface GigabitEthernet0/1
 ip address 203.0.113.1 255.255.255.0
 ip nat outside

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload
access-list 1 permit 192.168.1.0 0.0.0.255

What is the effect of this configuration?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

Given this partial configuration:

ip nat pool MYPOOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
ip nat inside source list 1 pool MYPOOL
access-list 1 permit 192.168.1.0 0.0.0.255

What is the effect?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused NAT and PAT sessions

Start a NAT and PAT only practice session

Every question in these sessions is drawn from the NAT and PAT domain — nothing else.

Related practice questions

Related 300-410 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 300-410 exam test about NAT and PAT?
NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just NAT and PAT questions in a focused session?
Yes — the session launcher on this page draws every question from the NAT and PAT domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 300-410 topics?
Use the topic links above to move to related areas, or go back to the 300-410 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 300-410 exam covers. They are not copied from any real exam or dump site.