Home > CCNA NAT SIM Question

CCNA NAT SIM Question

January 5th, 2014 Go to comments

Question

You are tasked to configure Internet access on a router. The ISP has provided the company six public IP addresses of 198.18.184.105 198.18.184.110. The company has 14 hosts that need to access the internet simultaneously. The hosts in the company LAN have been assigned private space addresses in the range of 192.168.100.17 – 192.168.100.30.

The following have already been configured on the router:

– Router basic configuration
– Interfaces have been configured for NAT inside (Fa0/0) and NAT outside (s0/0)
– The appropriate static routes have also been configured
– All passwords have been temporarily set to “cisco”

Tasks:
+ Use NAT to provide Internet access to all hosts in the company LAN.
+ Name the router TUT
+ Inside global addresses: 198.18.184.105 198.18.184.110/29
+ Inside local addresses: 192.168.100.17 – 192.168.100.30/28
+ Numer of inside hosts: 14

NAT_sim_topology.jpg

Solution

Note: If you are not sure how NAT & PAT work, please read my Network Address Translation NAT Tutorial. You can download this sim to practice here: http://juquitiba.sp.gov.br/?exams=download/9tut.com_CCNA_NAT_sim_question.zip

The CCNA Training company has 14 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.184.105 to 198.18.184.110/29. Therefore we have to use NAT overload (or PAT)

Double click on the TUT router to open it

Router>enable
Router#configure terminal

First you should change the router’s name to TUT

Router(config)#hostname TUT

Create a NAT pool of global addresses to be allocated with their netmask (/29 = 255.255.255.248). There were reports that the simulator in the real exam did not accept “prefix-length” keryword so you should use “netmask” keyword.

TUT(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248

Create a standard access control list that permits the addresses that are to be translated

TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15

Establish dynamic source translation, specifying the access list that was defined in the prior step

TUT(config)#ip nat inside source list 1 pool mypool overload

This command translates all source addresses that pass access list 1, which means a source address from 192.168.100.17 to 192.168.100.30, into an address from the pool named mypool (the pool contains addresses from 198.18.184.105 to 198.18.184.110)

Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports

The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements.

This is how to configure the NAT inside and NAT outside, just for your understanding:

TUT(config)#interface fa0/0
TUT(config-if)#ip nat inside

TUT(config-if)#exit

TUT(config)#interface s0/0
TUT(config-if)#ip nat outside
TUT(config-if)#end

Finally, we should save all your work with the following command:

TUT#copy running-config startup-config

Check your configuration by going to “Host for testing” and type:

C:\>ping 192.0.2.114

The ping should work well and you will be replied from 192.0.2.114

Comments
Comment pages
1 13 14 15 23
  1. noney12
    November 18th, 2017

    there are 2 way to complete this
    acl to outside pool overload -and- inside pool to outside pool overload

  2. fafafa
    December 10th, 2017

    the ping doesn’t work

  3. Kaled
    December 17th, 2017

    If ping didn’t work so you should configure a static route

  4. Ali
    December 20th, 2017

    any one who done Cisco exam? need info, because i heard CIsci removed dump question.

  5. papppu
    January 2nd, 2018

    please share latest exam experience…..

  6. papppu
    January 2nd, 2018

    dump is still valid?or not

  7. what answer?
    January 3rd, 2018

    Which two statements about TACACS+ are true? (Choose two.)
    A. lt can run on a UNlX server.
    B. lt authenticates against the user database on the local device.
    C. lt is more secure than AAA authentication.
    D. lt is enabled on Cisco routers by default.
    E. lt uses a managed database.

  8. WTF?
    January 5th, 2018

    Hi,
    I really can’t understand why you put this command : ” TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15″ he don’t ask you to permit this IP so whyyy?

  9. Which two statements about TACACS+ are true? (Choose two.)
    January 5th, 2018

    A,B

  10. Which two statements about TACACS+ are true? (Choose two.)
    January 5th, 2018

    Which two statements about TACACS+ are true? (Choose two.)
    A. lt can run on a UNlX server.
    B. lt authenticates against the user database on the local device.
    C. lt is more secure than AAA authentication.
    D. lt is enabled on Cisco routers by default.
    E. lt uses a managed database.

    A,E

  11. WTF?
    January 6th, 2018

    Hi,
    I really can’t understand why you put this command : ” TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15″ he don’t ask you to permit this IP so whyyy?
    Hi,
    I really can’t understand why you put this command : ” TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15″ he don’t ask you to permit this IP so whyyy?
    Hi,
    I really can’t understand why you put this command : ” TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15″ he don’t ask you to permit this IP so whyyy?

  12. WTF?
    January 6th, 2018

    why the host .16 ??

  13. WTF?
    January 6th, 2018

    Ah because the 192.168.100.16 is the network
    192.168.100.(17)/28 = 255.255.255.(240)
    256 – 240 = 16 — 16<17< 32-1=31
    Network : 192.168.100.16
    Broadcast : 192.168.100.31

    And so I can't put
    R1(config)#access-list 1 permit 192.168.100.0 0.0.0.0 (or 0.0.0.15)

  14. karem
    January 7th, 2018

    Which two statements about TACACS+ are true? (Choose two.)
    A and E are correct

  15. JC
    January 18th, 2018

    This was very informative. I spent a little too much time to figure it out on the lab, but it was really worth it. 192.168.100.30 255.255.255.240 on F0/0

    That makes the wild card 0.0.0.15 (255-240=15) When sub-netted 192.168.100.16 Net 17-30 Usable and 31 broad-cast. This matches since .240 has an increment of 16 (0, 16, 32, 48…)

    Thank you!

  16. potocki
    January 20th, 2018

    I suppose, that one doesn’t need to create standard access list in that way described above, he can use command “ip nat access-list standard [NAME]/[NUNMBER]”? on CCNA exam? There was no explicit rule to use acl, so I assume we can use “ip access-list”, right?
    FYI, if someone is wandering how to do it with “ip access-list” standard ACL, find it below.

    (config) ip access-list standard NAT-LIST-NAME
    (config-std-nacl) permit 192.168.100.16 0.0.0.15
    (config-std-nacl) deny any # this is unnecessary, as there is always implicit deny all entry on end of each ACL, but I find it useful for troubleshooting, if something were was wrong – in “show access-lists” command output we can see count of matches against each entry.. – but second question, can we use this on CCNA exam?
    And then we attach ACL to NAT pool in similar way as described above:
    (config) ip nat inside source list NAT-LIST-NAME pool NAT-POOL overload

    I checked myself, and extended numbered/named ACL is also working correctly.
    (config) ip access-list extended NAT-LIST-NAME
    (config-std-nacl) permit ip 192.168.100.16 0.0.0.15 any # any is destination address of course, ip is our protocol
    (config-std-nacl) deny ip any any # the same situation as was in standard example, it is for easier troubleshooting

    Also it is worth to use (use during learning, and you will remember it during exam!) show commands – show ip nat statistics and show ip nat translations. Also very helpful can be command “debug ip nat” – it shows all translations in real time (enabled on Weaver router, of course; if there will be access to ISP router (destination router) you can use “debug ip packet” to see packets reached ISP router, and verify if the source address is changed after NAT..)
    @WTF: You need to use ACL in NAT, unless you are making static NAT (“ip nat inside static PRIVATE_IP PUBLIC_IP”), this is actually a NAT essential..

  17. biber
    January 21st, 2018

    I think the following command is wrong in the NAT sim lab:

    ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248

    It should be netmask 255.255.255.240 because of the start and end address in the pool. They would be in two different /29 Networks, which is according to the official cert guide books not possible. So we need a /28 network, even if only 6 addresses are in the pool.

  18. @sai
    January 29th, 2018

    fafafa the ping works only after giving

    TUT(config)#interface fa0/0
    TUT(config-if)#ip nat inside

    TUT(config-if)#exit

    TUT(config)#interface s0/0
    TUT(config-if)#ip nat outside
    TUT(config-if)#end

  19. data-centric
    February 5th, 2018

    Biber 198.18.184.104 is the subnet for the outside pool.your suggestion is not correct.The 9tut solution is correct

  20. Beng
    February 13th, 2018

    why i can’t ping 192.0.2.114

  21. Anonymous
    February 13th, 2018

    can we configure the public ip as primary and tee local network as secondary on the local interface then will NAT it o the interface, should work right?

  22. Prashant
    February 14th, 2018

    TUT(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248
    subnet in not

    TUT(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.240 will be ok .

    please check 9tut.

  23. H
    February 16th, 2018

    February 16th, 2018
    Can you please send me the latest dump for CCNAx 200-125 to hanichob8 @ Gmail . com

  24. S
    February 21st, 2018

    standard Acl list is applied here
    access-list 1 permit 192.168.100.16 0.0.0.15
    my question is why can’t we apply extended acl here
    plz explain
    cheers

  25. Fire13
    February 21st, 2018

    hi guys can anyone send me the latest dump for CCNA 200-125 R&S ({email not allowed}) please

  26. Fire13
    February 21st, 2018

    hi guys can anyone send me the latest dump for CCNA 200-125 R&S (a.taniqulov420 @ Gmail . com) please

  27. Khanh Nguyen huy
    February 22nd, 2018

    Hi everybody,
    I’ve passed CCNA today, 964. 70% in dump but not at all is correctly. The lab the same but answers is changed, you must deep understand about lab. Thanks 9tut, very helpful.

  28. Naleen
    February 27th, 2018

    Hi,

    In this simulation, instead using my pool, can I use outgoing interface for overload?

    ip nat inside source list 1 serial 0/0 overload

    Is there anything wrong with this configuration?

    Thanks

  29. Naleen
    February 27th, 2018

    Actually with interface keyword

    ip nat inside source list 1 interface serial 0/0 overload

  30. Raju
    February 27th, 2018

    Hi guys any latest dumps for 200-125

    my exam is in next month.

    this is my email id :- raj09028 at gmail dot com

    thank you

  31. Petter
    March 6th, 2018

    Great help for the exam, thanks a lot!!

  32. bi
    March 21st, 2018

    TUT(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248
    is correct. given that the ISP provided 6 public address ranging 198.18.184.105 198.18.184.110: implies that address 198.18.184.4 was subnetted with a block size of 8 to create the 6 valid IP addresses.

  33. bi
    March 21st, 2018

    correction: address subnetted is 198.18.184.104

  34. John D. Ngowi
    March 23rd, 2018

    Hi all
    Any one with the valid dumps please, thank you in advance
    johnngowi86 at gmail dot com.

  35. JamesW
    March 28th, 2018

    could any one send me latest valid dump please at binwu1989 at yahoo dot com.

  36. Simpy
    April 1st, 2018

    Could anyone please help me with dumbs of ITIL and send it to simpy.parveen1_AtTheRate_ucalgary.ca

  37. Roman
    April 7th, 2018

    Guys, who are confused about access-list 1 permit command.
    Don’t forget, that NAT access-list made for matching ip’s, not for blocking traffic. If ip address match ACL – it will be inserted into NAT process.

  38. Anonymous
    April 22nd, 2018

    I need the valid dumps pleeeeease my exam is NEXT WEEK please help my i have been doing my best email : quaresma420 at yahoo dot com

  39. Kate Doan
    April 26th, 2018

    Command

    Router>enable
    Password: cisco
    Router#

    Step 1: Change the hostname to Weaver

    Router#configure terminal
    Router(config)#hostname hut
    hut(config)#
    Step 2: Configure NAT

    1. Specify the private IP address using Access Control List (ACL) statement

    First we need to find the Network address of the hosts.

    Note: The inside local addresses have been assigned from 192.168.100.17 to 192.168.100.30/28.
    Subnet Mask of /28 = 11111111 . 11111111 . 11111111 . 11110000 = 255.255.255.240
    For network address, the network bits of the IP address remain same but the host bits turned to 0′s
    The last octet of first local IP address is 17, and binary of 17 = 00010001
    Network Address = 192.168.100.00010000 = 192.168.100.16

    Second, we need to find the wildcard mask of /28

    Note: The wildcard mask is the inverse of the subnet mask. Network bits are 0′s and Host bits are 1′s.
    Subnet Mask = 11111111 . 11111111 . 11111111 . 11110000
    Wildcard Mask = 00000000 . 00000000 . 00000000 . 00001111 = 0.0.0.15

    hut(config)#access-list 1 permit 192.168.100.16 0.0.0.15

    2. Specify the public IP address (198.18.184.105 – 198.18.184.110/29)

    Subnet Mask of /29 = 11111111 . 11111111 . 11111111 . 11111000 = 255.255.255.248

    hut(config)#ip nat pool mynat 198.18.184.105 198.18.184.110 netmask 255.255.255.248

    3. Link private IP address list and public IP address list

    From above 2 command, the ACL number is 1 and NAT pool name is mynat

    hut(config)#ip nat inside source list 1 pool mynat overload
    hut(config)#end

    Step 3: Save the configuration

    hut#copy run start
    Step 4: Test the NAT configuration

    The IP address of ISP is 192.0.2.114, if the test connectivity of ISP IP address success then the above NAT configuration is working properly.

    Click Show Topology button, then click on the icon “Host for Testing”. In the command prompt of PC, execute command ping 192.0.2.114

  40. SHEROD57
    May 4th, 2018

    looking for exam ICND1 – 100-101

    {email not allowed}

    please send latest exam.

    Thank you,

  41. SHEROD57
    May 4th, 2018

    looking for exam ICND1 – 100-101

    sheryler at comcast dot net

    please send latest exam.

    Thank you,

  42. Sheron
    May 22nd, 2018

    Here is instant Download / Purchase link. Cheapest Ever. 100% working Exam Real Questions:

    https://shrib.com/?v=nc#Pk9QTGCBeq92wwLTHKPk

Comment pages
1 13 14 15 23
Add a Comment