Home > CCNA NAT SIM Question

CCNA NAT SIM Question

January 5th, 2014 Go to comments

Question

You are tasked to configure Internet access on a router. The ISP has provided the company six public IP addresses of 198.18.184.105 198.18.184.110. The company has 14 hosts that need to access the internet simultaneously. The hosts in the company LAN have been assigned private space addresses in the range of 192.168.100.17 – 192.168.100.30.

The following have already been configured on the router:

– Router basic configuration
– Interfaces have been configured for NAT inside (Fa0/0) and NAT outside (s0/0)
– The appropriate static routes have also been configured
– All passwords have been temporarily set to “cisco”

Tasks:
+ Use NAT to provide Internet access to all hosts in the company LAN.
+ Name the router TUT
+ Inside global addresses: 198.18.184.105 198.18.184.110/29
+ Inside local addresses: 192.168.100.17 – 192.168.100.30/28
+ Numer of inside hosts: 14

NAT_sim_topology.jpg

Solution

Note: If you are not sure how NAT & PAT work, please read my Network Address Translation NAT Tutorial. You can download this sim to practice here: http://juquitiba.sp.gov.br/?exams=download/9tut.com_CCNA_NAT_sim_question.zip

The CCNA Training company has 14 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.184.105 to 198.18.184.110/29. Therefore we have to use NAT overload (or PAT)

Double click on the TUT router to open it

Router>enable
Router#configure terminal

First you should change the router’s name to TUT

Router(config)#hostname TUT

Create a NAT pool of global addresses to be allocated with their netmask (/29 = 255.255.255.248). There were reports that the simulator in the real exam did not accept “prefix-length” keryword so you should use “netmask” keyword.

TUT(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248

Create a standard access control list that permits the addresses that are to be translated

TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15

Establish dynamic source translation, specifying the access list that was defined in the prior step

TUT(config)#ip nat inside source list 1 pool mypool overload

This command translates all source addresses that pass access list 1, which means a source address from 192.168.100.17 to 192.168.100.30, into an address from the pool named mypool (the pool contains addresses from 198.18.184.105 to 198.18.184.110)

Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports

The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements.

This is how to configure the NAT inside and NAT outside, just for your understanding:

TUT(config)#interface fa0/0
TUT(config-if)#ip nat inside

TUT(config-if)#exit

TUT(config)#interface s0/0
TUT(config-if)#ip nat outside
TUT(config-if)#end

Finally, we should save all your work with the following command:

TUT#copy running-config startup-config

Check your configuration by going to “Host for testing” and type:

C:\>ping 192.0.2.114

The ping should work well and you will be replied from 192.0.2.114

Comments
Comment pages
1 13 14 15 23
  1. noney12
    November 18th, 2017

    there are 2 way to complete this
    acl to outside pool overload -and- inside pool to outside pool overload

  2. fafafa
    December 10th, 2017

    the ping doesn’t work

  3. Kaled
    December 17th, 2017

    If ping didn’t work so you should configure a static route

  4. Edward
    December 18th, 2017
  5. Ali
    December 20th, 2017

    any one who done Cisco exam? need info, because i heard CIsci removed dump question.

  6. papppu
    January 2nd, 2018

    please share latest exam experience…..

  7. papppu
    January 2nd, 2018

    dump is still valid?or not

  8. what answer?
    January 3rd, 2018

    Which two statements about TACACS+ are true? (Choose two.)
    A. lt can run on a UNlX server.
    B. lt authenticates against the user database on the local device.
    C. lt is more secure than AAA authentication.
    D. lt is enabled on Cisco routers by default.
    E. lt uses a managed database.

  9. WTF?
    January 5th, 2018

    Hi,
    I really can’t understand why you put this command : ” TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15″ he don’t ask you to permit this IP so whyyy?

  10. Which two statements about TACACS+ are true? (Choose two.)
    January 5th, 2018

    A,B

  11. Which two statements about TACACS+ are true? (Choose two.)
    January 5th, 2018

    Which two statements about TACACS+ are true? (Choose two.)
    A. lt can run on a UNlX server.
    B. lt authenticates against the user database on the local device.
    C. lt is more secure than AAA authentication.
    D. lt is enabled on Cisco routers by default.
    E. lt uses a managed database.

    A,E

  12. WTF?
    January 6th, 2018

    Hi,
    I really can’t understand why you put this command : ” TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15″ he don’t ask you to permit this IP so whyyy?
    Hi,
    I really can’t understand why you put this command : ” TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15″ he don’t ask you to permit this IP so whyyy?
    Hi,
    I really can’t understand why you put this command : ” TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15″ he don’t ask you to permit this IP so whyyy?

  13. WTF?
    January 6th, 2018

    why the host .16 ??

  14. WTF?
    January 6th, 2018

    Ah because the 192.168.100.16 is the network
    192.168.100.(17)/28 = 255.255.255.(240)
    256 – 240 = 16 — 16<17< 32-1=31
    Network : 192.168.100.16
    Broadcast : 192.168.100.31

    And so I can't put
    R1(config)#access-list 1 permit 192.168.100.0 0.0.0.0 (or 0.0.0.15)

  15. karem
    January 7th, 2018

    Which two statements about TACACS+ are true? (Choose two.)
    A and E are correct

  16. JC
    January 18th, 2018

    This was very informative. I spent a little too much time to figure it out on the lab, but it was really worth it. 192.168.100.30 255.255.255.240 on F0/0

    That makes the wild card 0.0.0.15 (255-240=15) When sub-netted 192.168.100.16 Net 17-30 Usable and 31 broad-cast. This matches since .240 has an increment of 16 (0, 16, 32, 48…)

    Thank you!

  17. potocki
    January 20th, 2018

    I suppose, that one doesn’t need to create standard access list in that way described above, he can use command “ip nat access-list standard [NAME]/[NUNMBER]”? on CCNA exam? There was no explicit rule to use acl, so I assume we can use “ip access-list”, right?
    FYI, if someone is wandering how to do it with “ip access-list” standard ACL, find it below.

    (config) ip access-list standard NAT-LIST-NAME
    (config-std-nacl) permit 192.168.100.16 0.0.0.15
    (config-std-nacl) deny any # this is unnecessary, as there is always implicit deny all entry on end of each ACL, but I find it useful for troubleshooting, if something were was wrong – in “show access-lists” command output we can see count of matches against each entry.. – but second question, can we use this on CCNA exam?
    And then we attach ACL to NAT pool in similar way as described above:
    (config) ip nat inside source list NAT-LIST-NAME pool NAT-POOL overload

    I checked myself, and extended numbered/named ACL is also working correctly.
    (config) ip access-list extended NAT-LIST-NAME
    (config-std-nacl) permit ip 192.168.100.16 0.0.0.15 any # any is destination address of course, ip is our protocol
    (config-std-nacl) deny ip any any # the same situation as was in standard example, it is for easier troubleshooting

    Also it is worth to use (use during learning, and you will remember it during exam!) show commands – show ip nat statistics and show ip nat translations. Also very helpful can be command “debug ip nat” – it shows all translations in real time (enabled on Weaver router, of course; if there will be access to ISP router (destination router) you can use “debug ip packet” to see packets reached ISP router, and verify if the source address is changed after NAT..)
    @WTF: You need to use ACL in NAT, unless you are making static NAT (“ip nat inside static PRIVATE_IP PUBLIC_IP”), this is actually a NAT essential..

  18. biber
    January 21st, 2018

    I think the following command is wrong in the NAT sim lab:

    ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248

    It should be netmask 255.255.255.240 because of the start and end address in the pool. They would be in two different /29 Networks, which is according to the official cert guide books not possible. So we need a /28 network, even if only 6 addresses are in the pool.

  19. @sai
    January 29th, 2018

    fafafa the ping works only after giving

    TUT(config)#interface fa0/0
    TUT(config-if)#ip nat inside

    TUT(config-if)#exit

    TUT(config)#interface s0/0
    TUT(config-if)#ip nat outside
    TUT(config-if)#end

  20. data-centric
    February 5th, 2018

    Biber 198.18.184.104 is the subnet for the outside pool.your suggestion is not correct.The 9tut solution is correct

  21. Beng
    February 13th, 2018

    why i can’t ping 192.0.2.114

  22. Anonymous
    February 13th, 2018

    can we configure the public ip as primary and tee local network as secondary on the local interface then will NAT it o the interface, should work right?

  23. Prashant
    February 14th, 2018

    TUT(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248
    subnet in not

    TUT(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.240 will be ok .

    please check 9tut.

  24. H
    February 16th, 2018

    February 16th, 2018
    Can you please send me the latest dump for CCNAx 200-125 to hanichob8 @ Gmail . com

Comment pages
1 13 14 15 23
Add a Comment