Home > ICND1 – NAT/PAT

ICND1 – NAT/PAT

June 11th, 2017 in ICND1 100-105 Go to comments

Note: If you are not sure about NAT/PAT, please read my Network Address Translation NAT Tutorial.

Question 1

Explanation

Port Address Translation (PAT) can support thousands of users connect to the Internet using only one real global IP address. With PAT, each computer will be assigned a separate port number so that the router can identify which computer should receive the return traffic.

Question 2

Explanation

The keyword “overload” specifies we are using NAT Overload (PAT) in which multiple internal hosts will use only one IP address to access external network resources.

Question 3

Explanation

On the interface connecting to the Internet of the router we have to use the command “ip nat outside” for NAT to work. It identifies that interface as the outside interface.

Question 4

Explanation

There are two types of NAT translation: dynamic and static.

Static NAT: Designed to allow one-to-one mapping between local and global addresses. This flavor requires you to have one real Internet IP address for every host on your network

Dynamic NAT: Designed to map an unregistered IP address to a registered IP address from a pool of registered IP addresses. You don’t have to statically configure your router to map an inside to an outside address as in static NAT, but you do have to have enough real IP addresses for everyone who wants to send packets through the Internet. With dynamic NAT, you can configure the NAT router with more IP addresses in the inside local address list than in the inside global address pool. When being defined in the inside global address pool, the router allocates registered public IP addresses from the pool until all are allocated. If all the public IP addresses are already allocated, the router discards the packet that requires a public IP address.

In this question we only want to translate a single inside address to a single outside address so static NAT should be used.

Question 5

Explanation

When we specify a NAT “inside” interface (via the “ip nat inside” command under interface mode), we are specifying the source IP addresses. Later in the “ip nat” command under global configuration mode, we will specify the access or route map for these source addresses.

For example the command:

Router(config)# ip nat inside source list 1 pool PoolforNAT

after the keyword “source” we need to specify one of the three keywords:

+ list: specify access list describing local addresses (but this command does not require an “inside” interface to be configured)
+ route-map: specify route-map
+ static: specify static local -> global mapping

Question 6

Question 7

Question 8

Question 9

Explanation

After configuring all the requirements for NAT, we need to apply them to “source interface” and “outgoing” interface by going to the appropriate interfaces and type the “ip nat inside” and “ip nat outside” commands.

Question 10

Question 11

Explanation

The command ip nat inside source list 90 interface ethernet 0/0 overload means:

+ “ip nat inside”: “I want to NAT from inside to outside”
+ “list 90” means “the source IP addresses to NAT are included in Access-list 90”
+ “interface ethernet 0/0” means “NAT out of this interface”
+ “overload” means “use PAT for the IP translation”

Question 12

Explanation

The “ip nat inside” command can be applied to an interface to indicate this interface is the source NAT.

Question 13

Explanation

The outputs of the two commands “show ip nat statistics” and “show ip nat translation” are shown below:

Router#show ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Peak translations: 3, occurred 5d04h ago
Outside interfaces:
  Serial1/0
Inside interfaces: 
  Ethernet0/1
Hits: 34531  Misses: 0
CEF Translated packets: 34526, CEF Punted packets: 0
Expired translations: 11
Dynamic mappings:
-- Inside Source
[Id: 1] access-list nat_traffic interface Serial1/0 refcount 2

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
Router#show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
icmp 201.15.3.5:628    10.1.1.7:628       201.15.3.17:628    201.15.3.17:628
icmp 201.15.3.5:629    10.1.1.7:629       201.15.3.6:629     201.15.3.6:629
icmp 201.15.3.5:610    10.1.1.8:610       201.15.3.17:610    201.15.3.17:610
icmp 201.15.3.5:611    10.1.1.8:611       201.15.3.6:611     201.15.3.6:611
icmp 201.15.3.5:727    10.1.1.17:727      201.15.3.17:727    201.15.3.17:727
icmp 201.15.3.5:728    10.1.1.17:728      201.15.3.6:728     201.15.3.6:728
icmp 201.15.3.5:633    10.1.1.21:633      201.15.3.17:633    201.15.3.17:633
icmp 201.15.3.5:634    10.1.1.21:634      201.15.3.6:634     201.15.3.6:634
icmp 201.15.3.5:480    10.2.2.1:480       201.15.3.17:480    201.15.3.17:480
icmp 201.15.3.5:481    10.2.2.1:481       201.15.3.6:481     201.15.3.6:481
icmp 201.15.3.5:840    10.10.123.2:840    201.15.3.17:840    201.15.3.17:840
icmp 201.15.3.5:841    10.10.123.2:841    201.15.3.6:841     201.15.3.6:841
icmp 201.15.3.5:578    10.10.123.3:578    201.15.3.17:578    201.15.3.17:578
icmp 201.15.3.5:579    10.10.123.3:579    201.15.3.6:579     201.15.3.6:579
icmp 201.15.3.5:595    192.168.1.1:595    201.15.3.17:595    201.15.3.17:595
icmp 201.15.3.5:596    192.168.1.1:596    201.15.3.6:596     201.15.3.6:596

From that we can see the correct answer should be “show ip nat statistics”.

Question 14

Comments (38) Comments
  1. CCENT Someday
    January 31st, 2014

    Anyone,

    I plan on taking exam next week. What other sims/labs did you get besides the OSPF 6 router?

    Thanks in Advance!

  2. punjab
    February 1st, 2014

    ccent someday how did the exam go?

  3. CCENT someday
    February 2nd, 2014

    haven’t taken it yet. This coming Thursday.

  4. DaveB
    February 5th, 2014

    I think the link to the tutorial is broken.

  5. andyh
    March 1st, 2014

    Passed CCENT Friday, did okay on questions, Sims ate up time.
    Know your SHOW commands!

  6. 9tut_Rulez
    March 30th, 2014

    Passed my ICND1 last Friday 28th 🙂
    – Lot of subnetting
    – OSPF (neighborships)
    – NAT & PAT
    You don’t need to configure, but you do need to troubleshoot
    SHOW commands are a must.
    Thanks 9tut and good luck to the rest of you 9tutters

  7. Fez
    April 8th, 2014

    @9tut_Rulez

    Do I need to learn STP, Vlan, VTP Configuration, Acl1 and Acl2??

  8. Fez
    April 8th, 2014

    Fez

    I meant for ICND 1 100-101 exam what topics should be learned. Do I need to know stp, vlan, vpt, NAT and pat configuration?

  9. dERP
    April 15th, 2014

    icnd2 kicks off with vlan trunking, stp, and vpt. there are multiple choice questions on the icnd1 regarding pat config and acls.

  10. fez
    April 15th, 2014

    Thanks derp

  11. fez
    April 24th, 2014

    Passed my 100-101 exam today and question2,3 were there.. all the best

  12. Daed
    May 2nd, 2014

    Took test today, all 3 were there.

  13. Manohar Tn
    May 16th, 2014

    Got 986/1000 Marks, {5/16/2014} 50 Questions, Ospf Sim, Security simlet, and Router and switch Simlet Was also there…..All questions From 9tut. and Examcollections…..Now Heading For Icnd2 And Blogging…..

    For Any Help.
    Manohar Tn
    Website: http://www.techlinko.com
    G+ : https://plus.google.com/u/0/+ManoharTN9/

  14. Tark
    August 1st, 2014

    These are the only NAT PAT questions seen on ICND1 exam?

  15. Oshikuru
    August 21st, 2014

    Not understanding question 1. It is assumed that a private network is using private ip addresses, which are not routable through the internet, therefore the router can keep the same address, though the second part of that answer seems correct.

    Maybe D?

  16. Oshikuru
    August 22nd, 2014

    sorry i was high. I get it now

  17. Saudi Mizer
    September 6th, 2014

    Took exam yesterday, all these questions were on it. Thanks 9tut

  18. Gabbie
    October 9th, 2014

    Hi, taking an exam in a week, if anyone can share with dumps I would be grateful! Cheers

  19. Yahia Tariq
    November 22nd, 2014

    Questions 1-2-3 were in exam on 20/11/2014, more than 45 questions were from 9tut !

  20. Ahmed
    March 28th, 2015

    q1, 2 and 3 in icnd1 exam

  21. Ranger
    March 30th, 2015

    Just passed with 92%.
    Around 20 plus questions from Tut9!

  22. Ronny
    April 4th, 2015

    Just passed at 01 April 2015 with 100 % score. question 1,2 and 3 were there!

  23. Gns3
    April 13th, 2015

    I’m with you, Oshi, private address won’t get routed thru the Internet. Unless by saying PAT, they are saying you are using NAT/PAT overload, in which cause the private address does get change to a valid registered address. My answer for that question would be E, it doesn’t get on the net. Not with a private address in the socket.

  24. Gns3
    April 13th, 2015

    Reading over again, and I can see why A would be right. Nothing it’s said that the computer actually get onto the Internet, it just says what the router would do. Once the router sends the packet to the net, the next hop will drop the packet.

  25. Mundstick
    April 23rd, 2015

    My understanding of that question Gns3 is that the IP address it is referring to is the routers public IP address. That is paired with a port number and the two together map to the private IP address of your PC.

    However seeing as I am only studying I could be completely wrong 🙂

  26. G-10
    April 26th, 2015

    Q 1,2,3 in exam

  27. Anonymous
    May 15th, 2015

    hi
    can any good samaritan send me the latest dumps please to gmboya12@yahoo.com

  28. 9tut
    July 13th, 2015

    @all: We had to move all the questions and answers out of 9tut. We can only keep the explanation. You can download the questions and answers at: https://mega.co.nz/#!oIdESYbD!yyu33vygrfKPy4rcmcbV6qW2fxINNoTokuDM3CjA_og

  29. help
    August 4th, 2015

    how many sims are the in the ICND1 exam?

  30. martyt
    April 25th, 2016

    I have a couple of questions I need answered how do I upload them here to this site?

  31. mike
    May 6th, 2016

    anyone tell me –
    I seen a question on the test about the Internet facing ….
    is it Global, outside… Inside, or something else.

    It was the very first question on the exam. I am not sure as it was a very generic question.
    I believe it was talking about the interface that was facing the Internet – Which is ip nat outside

    or what is the outside network called when facing the Internet – Which is Global ?

    If anyone knows the exact question or what I am talking about – please advise.

  32. Anonymous
    May 30th, 2016

    Hi everyone,
    Please need latest dumps IT11STUDENT11 AT GMAIL POINT COM

  33. Gmaxx
    December 28th, 2016

    Question 1 and 2 was on the exam

  34. Anonymous
    February 8th, 2017

    When configuring NAT, the Internet interface is considered to be what?
    A. local
    B. inside
    C. global
    D. outside
    Answer: D
    Explanation
    On the interface connecting to the Internet of the router we have to use the command “ip nat outside”
    for NAT to work. It identifies that interface as the outside interface.

    How is this possible when learning about nat they give you definition about

    ________
    | NAT |
    Inside Local | Router | Inside Global Outside Local/Global
    |_______|

  35. light
    February 16th, 2017

    @ 8 february 2017:
    answer D is the only correct one. The question specifies “When configuring NAT” so this is relevant only to the configuration.
    Furthermore it says “the Internet interface” the word interface specifies the NAT-interface configuration: there are only two possibilities:
    1) ip nat inside : specifies the interface connected to the network that is needing translation (local)
    and
    2) ip nat outside : specifies the interface connected to the network outside; usually the internet/ISP
    Hopefully this help

  36. Anonymous
    February 28th, 2017

    NAT Configuration

    1 : Static Nat :

    (config): ip nat static “ local inside ip address “ “ Global outside ip address “
    (config): interface interface type port numbere
    (config-if):ip address ip address subnet mask
    (config-if):ip nat { inside | outside }

    2 : Dynamic Nat :

    (config): ip nat pool pool-name , pool range Netmask { netmask | prefix length }
    (config): access-list access list name Permit source { source-wildcard }
    (config): ip nat inside source list access-list-number pool pool name
    (config): interface interface type port numbere
    (config-if):ip address ip address subnet mask
    (config-if):ip nat { inside | outside }

    3 : PAT (Dynamic ) :

    (config): ip nat pool pool-name , pool range Netmask { netmask | prefix length }
    (config): access-list access list name Permit source { source-wildcard }
    (config): ip nat inside source list access-list-number pool pool name overload
    (config): interface interface type port numbere
    (config-if):ip address ip address subnet mask
    (config-if):ip nat { inside | outside }

    4: PAT (single address ) :

    (config): ip nat static “ local inside ip address “ “ Global outside ip address “
    (config): ip nat inside source list access-list-number interface interface type overload
    (config): interface interface type port numbere
    (config-if):ip address ip address subnet mask
    (config-if):ip nat { inside | outside }

    5: port forwarding

    P.F is the act of forwarding traffic addressed to a specific network port from one network node to another . this technic allows an external user to reach a port on private ipv4 address from the outside , through a NAT-enable router .
    Typically , peer to peer file-sharing programs and operations , such as web servicing and FTP , require that router ports be forwarded or open to allow this applications to work .

    **CONFIGURATION**

    Configuration is similar to PAT single address configuration .

    (config): ip nat inside source { static tcp |udp local-ip local port global-ip global port }
    [ extendable ]
    Note : Extendable option is applied automatically . The extendable keyword allows the user to configure several ambiguous static translations , where ambiguous translations are translations with the same local or global address . it allows the router to extend the translation to more than one port if necessary .
    Example :

    R (config): ip nat inside source static tcp 192.168.1.2 80 203.155.6.11 8080

    Local-ip : 192.168.1.2 local-port : 80
    Global-ip : 203.155.6.11 global-port : 8080

    ** NAT Verifying **

    1 : show ip nat statistic
    Displays information about the total number of active translations , nat configurations parameters , the number of addresses in the pool and how many of addresses have been allocated .

    2: show ip nat translation
    Display the details of the two previous NAT assignments . The command displays all static translations have been configured and any dynamic translations that have been created by traffic

    3: Debug ip nat
    Displays operation of the NAT feature by displaying information about every packet that is translated by the router.

    4 : Show running-config
    Displays total information about ACL , NAT , …

    ** NAT Troubleshooting main steps **

    1: show ip nat translations
    2 : show ip nat statistic
    3 : show success-list

  37. KL
    August 23rd, 2017

    just put additional research about One-Way NAT
    link: https://learningnetwork.cisco.com/thread/63452

    to put simple,
    One-Way NAT =PAT.
    Only the inside host can init the NAT, not the other way.

  38. edwa
    October 11th, 2017

    Can someone explain q6, why b? when do we use one-way NAT for?