Home > Nat Sim

Nat Sim

June 24th, 2011 in LabSim Go to comments


A network associate is configuring a router for the weaver company to provide internet access. The ISP has provided the company six public IP addresses of The company has 14 hosts that need to access the internet simultaneously. The hosts in the company LAN have been assigned private space addresses in the range of –

The following have already been configured on the router:

- The basic router configuration
– The appropriate interfaces have been configured for NAT inside and NAT outside
– The appropriate static routes have also been configured (since the company will be a stub network, no routing protocol will be required.)
– All passwords have been temporarily set to “cisco”

ccna_nat_sim_lab1 ccna_nat_sim_lab2


Note: If you are not sure about NAT or Access list, my read my NAT tutorial and Access-list tutorial.

The company has 14 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from to Therefore we have to use NAT overload (or PAT) Double click on the Weaver router to open it

configure terminal

First you should change the router’s name to Weaver

Router(config)#hostname Weaver

Create a NAT pool of global addresses to be allocated with their netmask.

Weaver(config)#ip nat pool mypool netmask

Create a standard access control list that permits the addresses that are to be translated

Weaver(config)#access-list 1 permit

Establish dynamic source translation, specifying the access list that was defined in the prior step

Weaver(config)#ip nat inside source list 1 pool mypool overload

This command translates all source addresses that pass access list 1, which means a source address from to, into an address from the pool named mypool (the pool contains addresses from to

Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports.

The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements. This is how to configure the NAT inside and NAT outside, just for your understanding:

Weaver(config)#interface fa0/0
ip nat inside
interface s0/0
ip nat outside

Finally, we should save all your work with the following command:

Weaver#copy running-config startup-config

Check your configuration by going to “Host for testing” and type:


The ping should work well and you will be replied from

You can download this sim and practice with Packet Tracer here: http://www.9tut.com/download/9tut.com_CCNA_NAT_sim_question.zip

(Notice: you can find other NAT Sim Question here)

Other lab-sims in ICND2 Exam:

VTP SIM (on 9tut.com)

EIGRP Lab sim (on 9tut.com)

Other lab-sims might appear in the real ICND 2 exam, read and understand them if you have enough time!

Comment pages
1 2 56
  1. noname
    October 29th, 2012

    For this problem, I believe something is missing: a default route.
    ip route

  2. creative me
    October 30th, 2012

    is there a lab simulation for this on 9tut ( i mean as a packet tracer file or something ) ?


  3. creative me
    October 30th, 2012

    Hi , I tried creating this lab in the packet tracer , but i am not able to ping from the “host for testing”- it says request timed out-
    I have read the comments and someone had advised to use a static route on the ISP route- i gave the command
    ip route serial 0/0/1

    but still am unable to ping :( Any help 9tut ?

  4. creative me
    October 30th, 2012

    @ 9tut- in the exam – the points are given only if the ping is successfull? or even without the ping being unsuccesfull ?

  5. creative me
    November 2nd, 2012

    Can u provide a lab simulation for this question pls . I have an exam in 3 days

  6. creative me
    November 3rd, 2012

    @ no name- even i think that a default route to should exist- 9tut ,any comments on this ?

    ip route

    that is how it wil ping the ip

  7. creative me
    November 3rd, 2012

    have a doubt :in the Last step in the SIM- :
    shouldnt to verify , the host should use a ping to any of the public ip address , in the pool to

  8. Shariq
    November 3rd, 2012

    @creative me and no name
    Default route is required for corporate networks’ internal routers.
    It is not required on the router where NAT is applied.
    However a static route may be implemented on the ISP router or the use of BGP both of which are not in the scope of CCNA.

  9. 9tut
    November 3rd, 2012

    @creative me: the points are given only if the ping is successful.

  10. test_taker
    November 7th, 2012

    So to get *full credit* you *must* issue a ping, whether you have a perfect config?

  11. creativeme
    November 9th, 2012

    @ test taker- do u have a sim already created for this config?

  12. 9tut
    November 12th, 2012

    @test_taker: No, if the config is correct you’ll get full point. But why you don’t make a ping to check again? A successful ping guarantees your configuration is correct.

  13. trextaz
    November 12th, 2012

    can somoen send me PLEAE PLEASE PLEASE this sim to trextony@hotmail.com.

    My Exmas are tomorrow and I’m worried

  14. Edge
    November 12th, 2012

    trextaz.. You needed to go to the “OTHER” NAT page to D/L the Nat sim.. Here is the Link..
    http://www.9tut.com/52-ccna-nat-sim-question. it is downloadable,, and works fine.

  15. Noor
    November 13th, 2012

    I will have exam tomorrow I am wworried

  16. Matt
    November 29th, 2012

    an somebody explain me this line in simulation i just want to check my knowledge
    How did we get that 16 how did we get 16??? wild mask is
    255-248=15 so it is 255=0 wild mask=
    I don’t understand how did we get this ip:

    Weaver(config)#access-list 1 permit



  17. Andy
    November 29th, 2012 is the network number and the subnet is not 248. 255-140=15 so the wildcard is

    Does that help?

  18. Skogen
    November 30th, 2012

    So that part of task in assignment The company has 14 hosts that need to access the internet simultaneously
    I need to ask myself which subnet mask gives me 14 hosts???
    answer: increment of 240=16 range 0-16usable hosts 1-15 and in this range there are our 14 hosts that need to access the internet simultaneously. so that is subnet and subnet address
    this line provides me subneting answer
    inside local addresses - – subnet of this range is mask 255-240=16
    Weaver(config)#access-list 1 permit

    Em I correct???????



  19. Another guy’s comments
    December 1st, 2012

    Something does not make sense here. Why if the inside global is 198.18.184.X the ip of the S0/0 interface is 192.0.2.X ?

    This lab wont work at all, for nat to work like it should one interface has to be configured with at least one ip address from the – range..

    The Interfaces are also NOT configured for NAT in the pkt lab..

  20. Rocio
    December 9th, 2012

    The quickest way to unerdstand subnetting is that subnetting is a binary AND operation of all the octets in your IP address with the subnet mask. subnet binary 255 (11111111) always allows the octet to pass thru and becomes the same number in the network address. performing an AND operation if the mask octet is less that 255 will yield a consistent number that will become the lowest number of the network address octet. A smaller mask octet number will yield a wider network range for the chosen IP address, and this number range is 256 minus the mask octet. For example, a mask of will yield a 2 x 255 address range for the chosen IP address. Lowest number in the range is the network address and the highest is the broadcast address.

  21. Rasronn
    January 2nd, 2013

    Guys, for the access list I have BUT here it says 0.0.015. Why do they have a 16 and not a 17 in the summary address?? Pliz help. Thanx

  22. firstmode
    January 3rd, 2013

    I take my ICND 2 tomorrow at 6:15pm! I will let you guys know what SIMs I run into!

  23. Lumious
    January 6th, 2013

    If anyone can send me the SIMs please send it to the following if possible:

  24. Lumious
    January 6th, 2013

    Anyone have any information on the FRAME RELAY SIM that everyone is talking about that is on the exam?

  25. Lumious
    January 8th, 2013

    To: Firstmode
    - Any update on what SIMS you had on your exam you took recently? Is anyone seeing any CCNA material SIMS on the ICND2 exam?

  26. Rocko
    January 8th, 2013

    @Rasronn…You have as the NETWORK address, but the first HOST address is

    Your total addresses (including NETWORK and BROADCAST are: – but you can only use – as HOST addresses.

  27. Husky
    January 16th, 2013

    can some one please email me the latest dump on this email address: Iron15Mike@yahoo.com
    I am sitting for CCNA this february , any tips would be huge

    Thank You

  28. somebody
    January 22nd, 2013

    try this on the isp router: ip route s0/1

  29. Mustafa
    January 24th, 2013
  30. invisible
    January 25th, 2013

    can mypool be substituted for anything, like call it test rather then mypool? 9tut?

  31. 9tut
    January 27th, 2013

    @invisible: Of course, you can use another name for it.

  32. Rasronn
    February 2nd, 2013

    Hey Guys, this SIM was on my ICND2 exam yesterday together with the Frame Relay multinational SIM

  33. Hockeycoach
    February 8th, 2013

    Where can I download this and the other five sims? Thanks for your answers and help. Greets from Germany

  34. Cool
    February 9th, 2013

    Rasronn January 2nd, 2013 Guys, for the access list I have BUT here it says 0.0.015. Why do they have a 16 and not a 17 in the summary address?? Pliz help. Thanx
    Answer: the address range is thru with the prefix 28.
    The prefix tells us that the address space is to be incremented by 16. Thus, the addresses thru 30 are included in the subnet allowing for addresses thru 30 as part of the subnet. Therefore, we have to specify the subnet which in this case is
    With the prefix 28 we get the netmask which is equal to the wild mask because 240 +15 = 255. That is why we configured the ACL as:
    access-list 1 permit
    Hope this helps.

  35. Cool
    February 9th, 2013

    Lumious January 6th, 2013 Anyone have any information on the FRAME RELAY SIM that everyone is talking about that is on the exam?
    Look here,

  36. Bart
    March 7th, 2013

    9tut – please clarify your packet tracer. Not even you “answer” is correct. Its not forwarding outside router. Gateway of last resort is not set – could this be an issue? Let us know!

  37. Anonymous
    March 24th, 2013

    Hi 9tut, my question – why do we have to apply NAT on 2 interfaces? I think 1 will be sufficient. In my case i will apply it at s0/0. Hope for your kind clarification on this. thanks.

  38. asif
    April 5th, 2013

    could anyone please give me the link of FRame Relay sim, i would be thankful to you.

  39. Anonymous
    April 5th, 2013

    If you ping to, as in your outside serial interface after configuring nat, it is sucessful, and doing a sh ip nat translations shows the nat working, the problem is with the router between the router and the isp, i imagine it cant ping back from the isp, you would need a static route on it.

  40. Anonymous
    April 5th, 2013

    My mistake it works fine, make sure you have the netmask on the public p0ol as .248

  41. Ruth
    April 8th, 2013

    I cannot ping the ISP. Please what am I doing wrong. I configured a default route on weaver ie but I am not able to ping. I will appreciate any help.

  42. Ruth
    April 13th, 2013

    Please can someone tell me what static routes are used in Weaver router and the ISP because I still cannot ping from the test PC. When I did show frame-relay lmi, it shows that the number of messages sent is higher than messages received and the timeout = 16 so I know there is something wrong.

  43. Clara
    April 15th, 2013

    Galera, os endereços IP”s que estão errados …
    Não é necessário nenhuma rota estática, apenas os endereços do pool estão errados.

  44. Johan
    April 22nd, 2013

    Can i put access-list 1 permit instead?

  45. Derek
    May 4th, 2013


    No, you must use Reason being is that you must use the correct block size.

    The address the hosts are using are part of the subnet. By using the wilcard, you effectively identify all the address from – (but .31 is the broadcast address and is unusable).

  46. Mistro50
    May 29th, 2013

    Thanks for the Frame-Relay SIM

  47. drmrkam
    June 3rd, 2013

    can,t ping ,can any body say why?

  48. Fred Durst
    June 24th, 2013

    Cannot ping from a host computer because I’m pretty sure the ISP Router doesn’t know about the network, it only know about the networks that are directly connected. I wasn’t about to get into the ISP router to verify though. Bad password?

  49. Chokshi
    June 27th, 2013

    It works fine. You need to configure Nat inside and outside on proper interface.

  50. Chokshi
    June 27th, 2013

    Here is the ping result from Test host. First time It didn’t work. I check the running config and found out in and out mapping was missing.
    If you want to success in real job start troubleshooting.
    Passing by doing dump not going to take you too far. they are just to test yourself and practice.

    acket Tracer PC Command Line 1.0

    Pinging with 32 bytes of data:

    Reply from bytes=32 time=43ms TTL=254
    Reply from bytes=32 time=10ms TTL=254
    Reply from bytes=32 time=16ms TTL=254
    Reply from bytes=32 time=20ms TTL=254

    Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 43ms, Average = 22ms


  51. Elmersk!
    July 21st, 2013

    I think there is a default route or static route configured in the ISP router back to Weaver. With that, the given configuration in the Weaver router will be enough to have the ping successful.

    >>>> try to put this in your ISP router>>>
    ip route

  52. Josep
    July 23rd, 2013

    this Sim is exellent. works just fine

  53. Anonymous
    July 24th, 2013

    Anyone got CCNa sims while taking ICND2?

  54. Thyreme
    August 11th, 2013

    It works perfect. Thnx 9tut. God bless you

  55. Andy
    August 14th, 2013

    On the lab it says inside and outside have been configured, but they haven’t. Good practice to input those commands anyways :)

  56. aaaa
    August 17th, 2013

    For ACL wildcard is another option also.
    Wildcard is range.
    we have 14 hosts started from to
    So for sunbent /28 wildcard mask will be
    but this will involve also an anusable ip address and
    in our case we need arange from .17 to .30


    Address and wild card mask for ACL will be:

    Weaver(config)#access-list 1 permit

  57. aaaa
    August 17th, 2013

    Somthing more.
    Be carefull to nat make mistake with mask that define at pool.

    Weaver(config)#ip nat pool mypool netmask
    What subnet mask we use here? It is subnet mask of our outside interface. So chcek mask on interface s0/0 , wich is our ouside interface in our case.

  58. bbbb
    August 21st, 2013

    I might agree about default route, but the question states:

    ” – The appropriate static routes have also been configured ”

    So is it really needed?

  59. bbbb
    August 21st, 2013

    Additionally, ISP router has to have a route back to Weaver to return ICMP messages.

    Though I believe it’s ok to add default route just in case as noname stated.

  60. now-not-everything
    August 22nd, 2013

    In the lab example the part with the defintion of the nat interface is missing:
    Weaver(config)#interface fa0/0
    Weaver(config-if)#ip nat inside
    Weaver(config)#interface s0/0
    Weaver(config-if)#ip nat outside

    default route is not needed in that example

  61. Sameer
    August 31st, 2013
  62. Thyreme
    September 5th, 2013


    If we use then the mask will be
    but if we use then the mask will be =>
    (Increment 16) so: – 15 (1-14 used) (0 network, 15 broadcast) – 31 (17-30 used)

    September 11th, 2013

    To everyone that having problem ping

    Most of you tried to use ip route on isp router.

    If you insert ip route on the ISP router. Without any NAT config, I can ping from my work station.

    If I use this command “ip nat inside source list 1 interface serial0/0 overload” then ping to works without using ip route on the ISP router.

  64. aaaa
    September 11th, 2013

    If we use then the mask will be
    This comment does not stand. we are talking for wildcard mask, wild card mask 0.0.13 is a range.
    wild card mask will allow all the range to

  65. sikson
    September 13th, 2013

    I have the exam on 26th, can anyone send me the latest icnd2 dumps please, sikadif@gmail.com

  66. Me
    September 13th, 2013


    …Its so easy to find who’s learning by the book and who’s learning doing dumps…

    There is no need for a route on the ISP… Remember the traffic from the private comes NATed… so the ISP doesn’t need to know about the network, it will send the packets to the public IPs on the weaver router…

    We just need to configure a static default route in the weaver

  67. paolo
    September 13th, 2013

    @aaaa and 0.0.13 are not valid mask and wilde card mask .

  68. AccountingMan!
    September 15th, 2013

    Passed ICND2 today with 910. This sim was on my exam, unfortunately I did not answer the questions related to this sim because I though the questions were going to be on the next screen. Too bad, but I passed the exam… Wouaooooooooooo

  69. Mira
    September 17th, 2013

    9 tut, what is the password for ISP router in your already set-up packetracer lab. Pwds cisco and admin don’t work. Just wondering what is in config ;)

  70. TrickedbyCisco
    September 19th, 2013

    Fail. Took the supposed ICND2 640-816 today and there was nothing like the material contained on this site. No VTP, No VLSM, No Drags and Drop (except 1, had Split Horizon), no ACL or NAT. It was all about SNMP and Netflow. 2 Different SIMS OSPF and EIGRP (not on this site or dump) A lot IPV6. I nailed ICND1 exam but this wasnt the test I prepared for. Please reply.

  71. cb
    September 19th, 2013

    TrickedbyCisco Are you sure you took 816. Maybe you took the new ICND2 that is out. There are currently two exams. 816 expires at the end of this month (September) but right now they are overlapping.

  72. TrickedbyCisco
    September 20th, 2013

    Yes. Didn”t know 200-100 was there already and Fail. 640-816 next Monday.

  73. Dan
    September 21st, 2013

    The password for the ISP rotuer is : noway

  74. optimistic_tester1
    September 25th, 2013

    i take the exam again in a few hours.. for this SIM, if the sim says the interfaces are already configured, do we need to do the “ip nat inside” and “ip nat ouside” commands?

  75. BCham88
    September 26th, 2013

    I take the 640-816 version of the exam today US. I know I am taking this version because I selected it with my very own eyes. I Have studied heavymod’s dump 1 time going through all the questions where the correct answers are highlighted, and then actually taking the entire exam for real without a time limit and seeing how well I do and every time i come up on a question that I feel at all nervous about getting incorrect because I did not understand it I came to 9 tut and studied every single question in the category that the question was based on. On top of this, CBT nuggets has great videos to allow you to see the configuring in action on specific areas like VTP and frame relay. And on top of that I have studied all 9tut has to offer, questions, lab sims, and actually reading and coming to understand the explanations for every single category that 9tut has to offer for this version of ICND part 2. I will be definitely giving feedback on my examination after I am home. It is ultimately up to you if you would like to use my study habits or not but it is a damn fine feeling to know that I have at least a good understanding of the knowledge areas required to pass the test.

  76. Router47
    October 3rd, 2013


    Couldn’t the access-list 1 permit just be for the general network…with a wildcard mask of

  77. Router47
    October 3rd, 2013

    …or even

    sorry i saw the CIDR for the inside local addresses is /28

    but that still doesn’t explain why has to be put in instead of

  78. Wazif
    October 15th, 2013

    Guys please email me this sim and also IPv6 if any. I’m on wazif@hotmail.com. Thanks

  79. Anonymous
    January 8th, 2014

    Adding a static route on the ISP , does work however the real issue is the subnet mask is incorrect on the PCs. It is in the simulation it’s marked as 240. I found it after I added the static route to the ISP. I confirmed the fix by deleting the static route and simulation works fine with the correct subnet mask .

  80. Blakesiy
    January 16th, 2014

    Please am about to recertify my CCNA i wrote 3 years ago, is ICND2 an alternative for me to write instead of registering for the whole CCNA test.

    NB: My deadline is so close and i have less time to prepare or a higher certification.

  81. curiosity
    February 11th, 2014

    The directions are wrong, that’s why there is no ping from a host to .114 :)
    Please find the correct one below:

    Weaver(config)#interface fa0/0
    Weaver(config-if)#ip nat outside
    Weaver(config)#interface s0/0
    Weaver(config-if)#ip nat inside

    Please correct me if I am wrong :)

  82. curiosity
    February 11th, 2014

    Ops, my bad…totally wrong….

  83. Janusz
    March 19th, 2014

    for this packet tracer lab you need to add

    Weaver(config)#interface fa0/0
    Weaver(config-if)#ip nat inside
    Weaver(config)#interface s0/0
    Weaver(config-if)#ip nat outside

  84. Ciscoita
    March 28th, 2014

    Anyone still getting this lab in the EXAM ICND 2 ?? Thanks guys i would really appreciate it if you tell me.

  85. Anthony
    April 8th, 2014

    All you have to do is reference Cisco’s own homepage to see what content is still on the exam:


    VTP, ACLs, and NAT have been completely removed.

  86. Day Day
    April 11th, 2014

    Anybody know how many sims on the icnd2 exam?

  87. Malik
    May 18th, 2014

    to make it run we have to add command,

    int fa0/0
    ip nat inside
    int se0/0
    ip nat outside

    once i put these commands my ping started working ..
    Thanks guys

  88. Malik
    May 26th, 2014

    just passed ICND2 few hours back with 920 marks only, EIGRP and Frame-relay Labs were there, NAT and OSPF Labs are no more in ICND2 i guess, but i had few questions about OSPF but no question of NAT … have fun guys …

  89. Reza
    May 31st, 2014

    I have Visual CertExam and VCE player but with none of them I can practice SIM and Drag and Drop questions, anybody have any idea about this problem? Do you have any software to practice simulation and drag and drop (not simple multi-choice) questions?
    I’ll be appreciate your help.
    my email address: ghahremanlu@gmail.com
    Thanks in advance

  90. Andrew
    June 2nd, 2014

    According to ICND2 200-101 Exam Topics, NAT is not included. I think this sim is from the old ICND2 600-816 which does include NAT in the Exam Topics. Can anyone confirm this is a fact? Judging by most the comments on this website, they did not receive NAT sim in ICND2 200-101 Exam.

  91. Dylan
    July 15th, 2014

    I just did the sim and also could not ping. I then realised that even though it states that nat inside and outside have already been configured, i ran the show running-config and saw that it was not already configured. that is why you can not ping the isp

  92. Rob
    August 5th, 2014

    Here’s what I found in total -

    - The Router already has the host name
    - The IP NAT inside/outside is not configured. But for some reason if you discover this and add it later the after the rest of the config is done it still does not work. It had to reload it from scratch putting the NAT inside/outsde first.
    -The default route to the ISP is missing
    - Still a good lab though and all of this was a learning experience and Cisco will do worse on the exams

  93. acdan
    August 20th, 2014

    This network ** is defined NOWHERE else in your config files. Just using the config provided above you will not get this lab to work.

    To make NAT work with the config provided omit
    >> ip nat pool mypool netmask
    >> ip nat inside source list 1 pool mypool overload

    and instead add
    >> ip nat inside source list 1 interface serial 1/0 overload

    This will still accomplish you UNDERSTANDING what is happening here and allow you to see it work.
    >> show ip access

    IF you see this on the exam you will need to create a NAT pool based on the inside global addresses provided. I realize my solution DOES NOT meet the exam objective laid out. I provided this information to help those confused about why the ping does not work.

  94. mgerena
    September 7th, 2014

    Past my CCNA today!!!! Thank U 9TUT!

  95. Anonymous
    October 8th, 2014

    The host (PC) have no ip address configurations

  96. ali
    October 20th, 2014

    first create access-list, nat, identify inside and outside your network and nat overload

    Pinging with 32 bytes of data:
    Reply from bytes=32 time=3ms TTL=254
    Reply from bytes=32 time=3ms TTL=254
    Reply from bytes=32 time=2ms TTL=254
    Reply from bytes=32 time=2ms TTL=254
    Ping statistics for
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 3ms, Average = 2ms

  97. E-man
    November 20th, 2014

    IP nat inside and outside are not configured on the interfaces :) and it says they are, but the answer shows you have to configure them….fix? :)

    Good lab though, thanks!

  98. Gidy
    November 23rd, 2014

    I just like the lab. has gave skills in my waiting for CCNA exam.

  99. Gidy
    November 23rd, 2014

    I just like the lab. It has gave skills in my waiting for CCNA exam.

Comment pages
1 2 56
  1. No trackbacks yet.
Add a Comment