web analytics
  • RSS

  • Polls

    What Cisco Cert Are You Currently Studying?

    View Results

    Loading ... Loading ...
  • Search on CiscoBibles

  • Popular Posts

  • Recent Comments

  • Archives

  • « | Main | »

    CCNA 640-802 Bible – Configure and Troubleshoot NAT

    By Raiy Wong | September 16, 2009

    1. What is the function of the Cisco IOS command ip nat inside source static 10.1.1.5 172.35.16.5?

    A: It creates a global address pool for all outside NAT transactions.

    B: It establishes a dynamic address pool for an inside static address.

    C: It creates dynamic source translations for all inside local PAT transactions.

    D: It creates a one-to-one mapping between an inside local address and an inside global address.

    E: It maps one inside source address to a range of outside global addresses.

    Correct Answers: D

    Explanation:

    In this example, the inside IP address of 10.1.1.5 is being translated to the 172.137.16.5 public IP address. This static 1-1 mapping is typically done for Internet facing servers, such as web servers, FTP servers, or email servers so that users from the outside can access the inside server using the outside (public) IP address.

    2. What does the "Inside Global" address represent in the configuration of NAT?

    A: the summarized address for all of the internal subnetted addresses

    B: the MAC address of the router used by inside hosts to connect to the Internet

    C: a globally unique, private IP address assigned to a host on the inside network

    D: a registered address that represents an inside host to an outside network

    Correct Answers: D

    Explanation:

    With NAT, Cisco defines 4 different types of addresses as follows:

    * Inside local address – The IP address assigned to a host on the inside network. This is the address configured as a parameter of the computer’s OS or received via dynamic address allocation protocols such as DHCP. The address is likely not a legitimate IP address assigned by the Network Information Center (NIC) or service provider.

    * Inside global address – A legitimate IP address assigned by the NIC or service provider that represents one or more inside local IP addresses to the outside world.

    * Outside local address – The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.

    * Outside global address – The IP address assigned to a host on the outside network by the host’s owner. The address is allocated from a globally routable address or network space.

    The above definitions still leave a lot to be interpreted. For this example, this document redefines these terms by first defining "local address" and "global address." Keep in mind that the terms "inside" and "outside" are NAT definitions. Interfaces on a NAT router are defined as "inside" or "outside" with the NAT configuration commands, ip nat inside and ip nat outside. Networks to which these interfaces connect can then be thought of as "inside" networks or "outside" networks, respectively.

    * Local address – A local address is any address that appears on the "inside" portion of the network.

    * Global address – A global address is any address that appears on the "outside" portion of the network..

    3. A network administrator would like to implement NAT in the network shown in the graphic to allow inside hosts to use a private addressing scheme. Where NAT should be configured?

    clip_image001

    A: Corporate router

    B: Engineering router

    C: Sales router

    D: all routers

    E: all routers and switches

    Correct Answers: A

    Explanation:

    Network Address Translation (NAT) can be used to hide the private IP addressing scheme of the entire network from the Internet. To do this, NAT needs to only be configured on the router that resides between the Internet and the rest of the private internal network. In this case, it needs to only be implemented on the Corporate router.

    4. Refer to the exhibit. What statement is true of the configuration for this network?

    clip_image003

    A: The configuration that is shown provides inadequate outside address space for translation of the number of inside addresses that are supported.

    B: Because of the addressing on interface FastEthernet0/1, the Serial0/0 interface address will not support the NAT configuration as shown.

    C: The number 1 referred to in the ip nat inside source command references access-list number 1.

    D: ExternalRouter must be configured with static routes to networks 172.16.1.0/24 and 172.16.2.0/24.

    Correct Answers: C

    Explanation:

    The ip nat inside source list 1 pool interface command tells the router to translate IP addresses that match access-list 1 to an IP address of Serail0/0 interface.

    The access list in this case is not being used to permit or deny traffic as we would use it for security reasons to filter traffic. It is being used in this case to select or designate what we often call interesting traffic. When interesting traffic has been matched with the access list, it is pulled into the NAT process to be translated.

    5. The network administrator has configured NAT as shown in the graphic. Some clients can access the Internet while others cannot. What should the network administrator do to resolve this problem?

    clip_image004

    A: Configure an IP NAT pool.

    B: Properly configure the ACL.

    C: Apply the ACL to the S0 interface.

    D: Configure another interface with the ip nat outside command.

    Correct Answers: B

    Explanation:

    The "ip nat inside" and "ip nat outside" commands must be used from interface configuration mode to tell the router which interface is performing which role in the NAT process. The following commands show how to configure our example router:

    Router(config)#interface ethernet0

    Router (config-if)#ip nat inside

    Router (config-if)#exit

    Router config)#interface serial0

    Router (config-if)#ip nat outside

    Router(config-if)#exit

    6. Refer to the exhibit. Given the partial configuration shown in the exhibit, why do internal workstations on the 192.168.1.0 network fail to access the Internet?

    clip_image005

    A: A NAT pool has not been defined.

    B: The wrong interface is overloaded.

    C: NAT has not been applied to the inside and outside interfaces.

    D: The access list has not been applied to the proper interface to allow traffic out of the internal network.

    Correct Answers: C

    Explanation:

    Two basic configurations are needed when configuring NAT in CISCO IOS:

    1. the definition of address translation types (global configuration mode command);

    2. the definition of devices location (interface sub-configuration mode command). Inside and outside parameters designate the transmission direction. Designate inside on interface that is connected to internal network, and designate outside on interface that is connected to external network. The configuration in the figure above does not apply NAT to interface, so address can not be translated.

    7. Given the partial router configuration in the graphic, why does the workstation with the IP address 192.168.1.153/28 fail to access the Internet? (Choose two.)

    clip_image007

    A:The NAT inside interfaces are not configured properly.

    B:The NAT outside interface is not configured properly.

    C:The router is not properly configured to use the access control list for NAT.

    D:The NAT pool is not properly configured to use routable outside addresses.

    E:The access control list does not include the IP address 192.168.1.153/28 to access the Internet.

    Correct Answers: A, C

    8. Refer to the network diagram and configuration shown in the graphic. The network at the SOS Company has just been configured for NAT as shown. Initial tests indicate that everything is functioning as intended. However, it is found that a number of hosts cannot access the Internet. What is the problem?

    clip_image008

    A: The access list is not correct.

    B: There are not enough IP addresses available in the NAT address pool.

    C: The wrong interface has been configured with the ip nat inside command.

    D: The IP address of the Fa0/0 interface is not usable.

    E: The S0/1 interface of the ISP router is in the wrong subnet.

    Correct Answers: B

    Explanation:

    According to the configuration shown above, the NAT pool only specifies 5 IP addresses (192.0.2.161-165) while there are 16 hosts on the network that need to be translated. This explains why everything functions well for the first hosts, but not for the rest. To fix this issue, more IP addresses need to be specified in the NAT pool named SOS, or alternatively the "overload" keyword could be used to specify many to one address translation, or PAT.

    Several internal addresses can be NATed to only one or a few external addresses by using a feature called Port Address Translation (PAT) which is also referred to as "overload", a subset of NAT functionality.

    PAT uses unique source port numbers on the Inside Global IP address to distinguish between translations. Because the port number is encoded in 16 bits, the total number could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the original source port, if this source port is already allocated PAT will attempt to find the first available port number starting from the beginning ofthe appropriate port group 0-5111, 512-1023 or 1024-65535. If there is still no port available from the appropriate group and more than one IP address is configured, PAT will move to the next IP address and try to allocate the original source port again. This continues until it runs out of available ports and IP addresses.

    Alternatively, we could have configured port address translation, or NAT overload, to provide Internet access to the given number of hosts.

             

    Share and Enjoy:
    • Print
    • Digg
    • StumbleUpon
    • del.icio.us
    • Facebook
    • Yahoo! Buzz
    • Twitter
    • Google Bookmarks
    • LinkedIn
    • email
    • Live
    • MySpace

    Topics: 640-802 Bible, CCNA, CCNA R&S | No Comments »

    Comments

    You must be logged in to post a comment.