CCNA NAT Questions

Started by certforumz, March 22, 2014, 08:43:05 PM

Previous topic - Next topic

certforumz

A network associate is configuring a router for the weaver company to provide internet access. The ISP has provided the company six public IP addresses of 198.18.184.105 198.18.184.110. The company has 14 hosts that need to access the internet simultaneously. The hosts in the company LAN have been assigned private space addresses in the range of 192.168.100.17 – 192.168.100.30.





Solution:



The above named organisation has 14 hosts that need to access the internet simultaneously but were provided with just 6 public IP addresses from198.18.184.105 to 198.18.184.110/29.

In this case, you have to consider using NAT Overload (or PAT)

Doubleclick on the Weaver router to access the CLI

Router>enable
Router#configure terminal

Configure the router's name as "Weaver"
Router(config)#hostname Weaver
Weaver#

Create a NAT pool of global addresses and mask to be assigned.

Weaver#configure terminal
Weaver(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248

Create a standard access control list that permits the addresses that are to betranslated:


Weaver(config)#access-list 1 permit 192.168.100.16 0.0.0.15

Set up dynamic address source translation, specifying the access list that was defined in the step above:
Weaver(config)#ip nat inside source list 1 pool mypool overload
Weaver(config)#end
Weaver#copyrunning-config startup-config   (dont forget this bit)

This command translates all source addresses that meets access list 1 criteria, source address from 192.168.100.17 - 192.168.100.30,will be translated into addresses from the pool ( mypool) (addresses 198.18.184.105 to 198.18.184.110)

Overload: using this keyword enables the router to map multiple IP addresses to a single registered IP address (many-to-one) using different port. It can also be call Port Address Translation- PAT

note: according to the question, "..Appropriate interfaces have been configured for NAT inside and NAT outside."

This means that NAT inside and NAT outside is already configured. You might be lucky to encounter this during your exam or not. For the record, this is how to configure the NAT inside and NAT outside,

Weaver(config)#interface fa0/0
Weaver(config-if)#ip nat inside

Weaver(config-if)#exit

Weaver(config)#interface s0/0
Weaver(config-if)#ip nat outside
Weaver(config-if)#end

Weaver#copy running-config startup-config (this saves all your configuration,don't forget! )


verify your configuration by pinging from  "Host for testing":

C:>ping 192.0.2.114

If you follow the above configuration, you should receive a reply.

certforumz

#1
Question 2

Which two statements about static NAT translations are true? (choose two)

A. They are always present in the NAT table.
B. They allow connection to be initiated from the outside.
C. They can be configured with access lists, to allow two or more connections to be initiated from the outside.
D. They require no inside or outside interface markings because addresses are statically defined.

Answer: A B

Explanation

With static NAT, translations exist in the NAT translation table as soon as you configure static NAT command(s), and they remain in the translation table until you delete the static NAT command(s).

With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table.

-> A is correct.

Because static NAT translations are always present in the NAT table so outside hosts can initiate the connection without being dropped -> B is correct.

Static translations can not be configured with access lists. To configure static NAT, we only need to specify source IP, NAT IP, inside interface & outside interface.

-> C is not correct.

We have to specify which is the inside and outside interface -> D is not correct.

For your information, below is an example of configuring static NAT:

R0(config)#int f0/0
R0(config-if)#ip nat inside

R0(config-if)#int f0/1
R0(config-if)#ip nat outside

R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2

(Reference: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml)

Question 3

What are two benefits of using NAT? (choose two)

A. NAT protects network security because private networks are not advertised.
B. NAT accelerates the routing process because no modifications are made on the packets.
C. Dynamic NAT facilitates connections from the outside of the network.
D. NAT facilitates end-to-end communication when IPsec is enable.
E. NAT eliminates the need to re-address all host that require external access.
F. NAT conserves addresses through host MAC-level multiplexing.

Answer: A E

Explanation

By not reveal the internal IP addresses, NAT adds some security to the inside network -> A is correct.

NAT has to modify the source IP addresses in the packets -> B is not correct.

Connection from the outside to a network through "NAT" is more difficult than a normal network because IP addresses of inside hosts are hidden -> C is not correct.

In order for IPsec to work with NAT we need to allow additional protocols, including Internet Key Exchange (IKE), Encapsulating Security Payload (ESP) and Authentication Header (AH) -> more complex -> D is not correct.

By allocating specific public IP addresses to inside hosts, NAT eliminates the need to re-address the inside hosts -> E is correct.

NAT does conserve addresses but not through host MAC-level multiplexing. It conserves addresses by allowing many private IP addresses to use the same public IP address to go to the Internet -> F is not correct.

Question 4

Refer to the exhibit. What statement is true of the configuration for this network?



A. The configuration that is shown provides inadequate outside address space for translation of the number of inside addresses that are supported.
B. Because of the addressing on interface FastEthernet0/1, the Serial0/0 interface address will not support the NAT configuration as shown.
C. The number 1 referred to in the ip nat inside source command references access-list number 1.
D. ExternalRouter must be configured with static routers to network 172.16.2.0/24

Answer: C

Explanation

The "list 1″ refers to the access-list number 1.