23 - Questions - Enable Internet Connectivity

A network administrator configures the border router with the command ip nat inside source list 14 pool accounting. Which ACL is required to be configured in order for this command to function?

An access list that is numbered 14 that defines the private addresses that are translated by NAT.

A NAT-enabled router is configured to perform inside PAT. The IPv4 packet arrives at the outside interface of the router, as a response to the client in the inside network. Provided that inside PAT is correctly configured, which fields in the received IPv4 packets must match to which NAT mapping element, for the packet to be forwarded to the inside host?

Destination IPv4 address and destination port number must match inside global address and port in the mapping table.

One of the drawbacks of NAT is that it might disrupt services that require the initiation of TCP connections from the outside network or disrupt stateless protocols, such as those using UDP. Why is NAT disruptive in these two cases?

Inbound (outside to inside connections) depend on the presence of NAT mapping to be forwarded to the receiving host inside the network. NAT mappings can time out and, therefore, prevent the device from translating the incoming packets, which end up discarded.

What is the purpose of entering the ip nat inside source static tcp 192.168.10.2 80 209.165.200.223 8080 command at the global configuration prompt?

It binds the inside local address and local port to the specified inside global address and global port.

Which statement correctly describes NAT?

NAT is performed for outbound and inbound traffic.

Which two statements correctly describe port forwarding? (Choose two.)

Port forwarding is defined as a static mapping. Port forwarding enables local resource in private network to be available to external networks.

Which three options are advantages of NAT? (Choose three.)

Provides consistency for internal network addressing schemes. Increases the flexibility of connections to the public network. Conserves public addresses

The R1 router is configured for PAT. Refer to the exhibit. What is a possible reason that the addresses in the network are not translated? R1(config)# access-list 1 permit 192.168.0.0 0.0.0.255 R1(config)# ip nat pool NAT-POOL2 209.165.201.1 209.165.201.10 netmask 255.255.255.224 R1(config)# ip nat inside source list 1 pool NAT-POOL2 overload R1(config)# interface GigabitEthernet 0/1 R1(config-if)# ip nat inside R1(config-if)# interface GigabitEthernet 0/2 R1(config-if)# ip nat inside R1(config-if)# interface GigabitEthernet 0/0 R1(config-if)# ip nat outside

The correct answer is "Access-list 1 is misconfigured." The wildcard mask in the access control entry does not allow traffic from both the 192.168.11.0/24 and the 192.168.12.0/24 networks. The correct access list statement would be access-list 1 permit 192.168.0.0 0.0.255.255.

Which NAT disadvantage is described in the following situation? A user is unsuccessfully trying to establish a video call from the head office to the branch office. After some troubleshooting, they find out that the signaling protocol uses private IPv4 addresses in its messages. Both caller and called hosts try to send video data to the private address.

The correct answer is "End-to-end functionality is lost." Signalling protocols repeat device-configured IPv4 addresses in their messages. As a result, when NAT traversal mechanisms are not in place, the private addresses are used to exchange voice and video packets. The exchange is unsuccessful and the call fails. Tunneling protocol and performance degradation issues would result in other troubleshooting symptoms. Since signaling protocol messages can be exchanged, the issue is not related to disruptions of TCP or UDP connections. No end-to-end traceability is attempted in the example.

Which option enables one public address to be used for multiple internal private hosts?

The correct answer is "PAT." With dynamic NAT, for each local address there must be a global address available. Dynamic translations have a limited validity. The number of simultaneous connections is limited by the number of available global addresses. DHCP is not concerned with translations, but with address assignment. Static NAT provides one-to-one IP address mapping that does not time out.

Which statement accurately describes static NAT?

The correct answer is "Static NAT mappings do not time out." Static NAT can map any type of IPv4 addresses, such as private to public and private to another private address. Static mappings are not automatically created but are manually configured. They do not time out, and they are removed by manual intervention. NAT is not providing addressing, which is a task of DHCP, nor the hostname to IPv4 address mapping, which is a task of DNS.

For the purpose of testing, the administrator has set up a sample topology and configured static NAT on the R1 router for all inside network segments. The translation table is given below. PC1 sends a packet to the 209.165.202.129 IPv4 address. What would be the source IPv4 address and destination IPv4 address of PC1 packets when they leave the router out of its outside interface?

The correct answer is "The source IPv4 address is 198.51.100.150 and the destination IPv4 address is 209.165.202.129." When PC1 initiates communication with a device at 209.165.202.129 IPv4 address, the packets are forwarded to the R1. At router R1, the packets are routed to the outside interface and then translated using the mapping in the first row of the NAT-mapping table. The mapping indicates that inside local address, which is the source address in the packet is translated to 198.51.100.150. Therefore, answers stating the source IPv4 address to be 192.168.10.10 and 192.168.100.200 are not correct. 192.168.10.10 is the packet source IPv4 address only within the local network, not outside of it.

An administrator is given the task of configuring only inside PAT. Which statement about inside PAT is true?

The correct answer is "When only inside PAT is performed, source IPv4 address and source port numbers of the outbound packets, and destination IPv4 address and destination port numbers of the inbound packets are translated." Regardless of the NAT type, translations are always a two-way process. On NAT-enabled devices, the mappings are created when inside to outside traffic is initiated, but these mappings are consulted for both outbound and inbound traffic.

To which IPv4 range does the 10.10.1.101 address belong to?

The correct answer is "private address range." IPv4 addresses in the range 10.0.0.0/8 are private addresses. The IPv4 address 10.10.1.101 belongs to the 172.16.0.0/12 range.

You have a web server with a private IPv4 address within your network. You want users from the internet to access that private IPv4 address. Which type of NAT do you use?

The correct answer is "static NAT." Static NAT configurations create a one-to-one mapping that does not time out, in other word, it is always available both for translations for the outbound traffic and translation for the inbound traffic. Dynamic NAT and PAT are both dynamic in creating translation mappings. In both cases, if no outbound traffic is generated, no translations are created. Therefore, the translation mapping exists only if the communication was initiated from the inside. If it is not, no inbound communication can reach the inside server. DHCP is address assignment protocol and not the translation protocol.

An administrator is configuring inside NAT for one of the inside network segments that has 150 devices. She has 20 global addresses available. Traffic analysis indicates that 15 devices need constant connection to the internet. Their addresses will be bound statically to 15 global addresses. The other devices will use dynamic NAT. Which two statements about the dynamic NAT implementation are true? (Choose two.)

The correct answers are "Only 15 devices will be able to connect to the internet simultaneously" and "By setting a lower timeout for the mappings, more than 15 devices may be able to access the internet, as long as they do not attempt to connect at the same time." After 15 global addresses are statically mapped, only 15 remain for dynamic NAT. If 15 dynamic mappings are already created, the sixth one will not be possible at that instant. However, after timeout expires, global addresses are available again. As long as inside devices do not attempt to connect to the internet at the same time, more than 15 devices can use global addresses. A shorter timeout frees global addresses sooner, so that chances for global addresses to be available increase. PAT needs to be configured and is not invoked automatically. The border device does not maintain waiting queues for NAT.

Which two network devices are typically used to perform NAT for an enterprise network? (Choose two.)

The correct answers are "router," and "firewall." Access points with routing capabilities or DSL and cable routers typically perform NAT in home environments. DHCP servers, host devices, and Layer 2 switches are not used to perform NAT in an enterprise environment.

Refer to the exhibit. The router NAT configuration command is shown above the router. A user is trying to access company web server by using the URL http://192.168.10.254. What is the user doing wrong?

The user is using an incorrect IPv4 address.

A company designs its network so that the PCs in the internal network are assigned IPv4 addresses from DHCP servers, and the packets that are sent to the internet are translated through a NAT-enabled router. Which type of NAT enables the router to populate the translation table from a pool of unique public addresses, as the PCs send packets through the router to the internet?

dynamic NAT

Refer to the exhibit. Which type of NAT is being configured? Router(config)# access-list 1 permit 172.16.1.0 0.0.0.255 Router(config)# ip nat pool NAT-POOL 209.165.201.10 209.165.201.14 netmask 255.255.255.224 Router(config)# interface Gi 0/1 Router(config-if)# ip address 209.165.201.1 255.255.255.224 Router(config-if)# ip nat outside Router(config-if)# exit Router(config)# interface Gi 0/0 Router(config-if)# ip address 172.16.1.1 255.255.255.0 Router(config-if)# ip nat inside Router(config-if)# exit Router(config)# ip nat inside source list 1 pool NAT-POOL overload

inside PAT

To configure NAT, one of the commands the administrator used was ip nat pool NAT-POOL 209.165.201.5 209.165.201.10 netmask 255.255.255.240. Assume that outside routers do not have a default route configured. Which two networks could be present in the routing tables of outside routers so that the two-way reachability exists between inside and outside hosts? (Choose two.)

route to 209.165.201.0/28 network route to 209.165.201.0/24 network

Refer to the exhibit showing the NAT information on the device. Which command was used to provide the output? Total active translations: 6 (1 static, 5 dynamic; 2 extended) Peak translations: 6, occurred 00:05:03 ago Outside interfaces: Ethernet0/3 Inside interfaces: Ethernet0/0, Ethernet0/1 Hits: 124 Misses: 0 CEF Translated packets: 124, CEF Punted packets: 0 Expired translations: 2 Dynamic mappings: -- Inside Source [Id: 1] access-list 10 pool NAT_POOL refcount 5 pool NAT_POOL: netmask 255.255.255.0 start 198.51.100.100 end 198.51.100.149 type generic, total addresses 50, allocated 3 (6%), misses 0 Total doors: 0 Appl doors: 0 Normal doors: 0 Queued Packets: 0

show ip nat statistics