Home > Ticket 4 – NAT ACL

Ticket 4 – NAT ACL

May 3rd, 2018 Go to comments

Note: Although in our ticket we cannot ping the Web server from DSW1 (as the NAT configuration is wrong) but in the exam we can. This is a bug in the exam so be careful with it.

In this ticket we may see one of two cases below:

Case 1:

Configuration of R1

!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat outside
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip nat outside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest

Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/0 delete the ip nat outside command and add the ip nat inside command.

Case 2:

Configuration of R1

!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat inside
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest

Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/1 delete the ip nat inside command and add the ip nat outside command.

Comments (19) Comments
  1. Henriko
    January 12th, 2020

    It seems we have a 3rd case here: the missing permit 10.2.0.0 statement.
    The answers in this case should be:
    R1
    ACL
    and Permit 10.2.0.0 0.0.255.255

  2. jiha87
    January 14th, 2020

    Please any one sure. i have exam tomorrow:
    int the TICKET 4: NAT ACL
    which answer is right i Q2: is it NAT OR IP NAT

  3. OnlyPrincess
    January 31st, 2020

    The PacketTracer by Buddy has R1 BGP interface and OSFP interface are configured correctly, Ip nat outside and ip nat inside respectively. In order for Client1 to ping WEB, I tried adding permit 10.2.0.0 0.0.255.255 under access-list Nat_traffic and it worked!

    But with NetworkTut simulator, Se0/0/1 has ip nat inside. which needs to be modified to be “ip nat outside”

  4. Steinmann
    February 3rd, 2020

    This came up for me on exam. There was ip nat inside on the WAN interface which is obviously wrong. I don’t think you would need to add permit 10.2.0.0 0.0.255.255 to the NAT ACL, as the FTP server in VLAN 20 don’t need to surf the web. Both the clients are in VLAN 10.

  5. Solid Snake
    February 5th, 2020

    According to the non-premium networktut for ip nat inside in serial 0/0/1 in R1:

    Answer) Under interface Serial0/0/1 delete the ip nat inside command and add the ip nat outside command.

    According the premium networktut for ip nat inside in serial 0/0/1 in R1:

    Answer) Under the interface serial 0/0/1 configuration enter the “ip nat outside” command

    Which option would be correct?

  6. suhofruct
    February 6th, 2020

    The second Q is
    The Fault Condition is related to which -=_technology_=-?

    Technology is – NAT. I think. Doesn’t exist technology IP NAT.

  7. NAT or IP NAT ?
    February 6th, 2020

    NAT or IP NAT finally ?

  8. KingShrek
    February 7th, 2020

    I think that networktut chould change the subject of ticket 4 cause is confusing readers.

    Why dont you write something like (NAT Outside/Inside/NAT ACL-3 cases)?

    From what in understand there are 2 possible cases of NAT inside/Outside and another one completly different related to NAT ACL

    Case 1. WAN interface as NAT inside and should be NAT outside
    Case 2. LAN interface as NAT oustide and should be NAT inside
    Case 3. NAT ACL is missing 10.2.2.0 network

  9. Auto
    February 11th, 2020

    21. Ticket 2 IP NAT

    TROUBLE TICKET STATEMENT:
    The implementation group has been using the test bed to do a ‘proof-of-concept’ that required both client 1 and client 2 to access the Web Server at 209.65.200.241. After several changed to interface status, network addressing, routing schemes and layer 2 connectivity, at trouble ticket has been opened indicating that client 1 cannot ping the 209.65.200.241 (internet Server).
    The following information needs yourself show run:
    Client 1 and Client 2 are not able to reach the WebServer at 209.65.200.241.
    Initial troubleshooting shows
    that DSW1, DSW2 and all the routers are able to reach the WebServer.
    Configuration on R1
    ip nat inside source list nat_pool interface s0/0/1 overload
    ip access-list standard nat_pool
    permit 10.1.0.0
    permit 10.2.0.0
    !
    interface Serial0/0/1
    ip address 209.65.200.225 255.255.255.252
    ip nat inside
    !
    interface Serial0/0/0.12
    ip address 10.1.1.1 255.255.255.252
    ip nat inside
    ip ospf message-digest-key 1 md5 TSHOOT
    ip ospf authentication message-digest

    On Which device is the fault condition located?

    R1
    R2
    R3
    R4
    DSW1
    DSW2
    ASW1
    Question was not answered

    Explanation:

    Clients 1 and 2 belong in the 10.2.0.0 subnet, as if you observe the NAT configuration you will notice that only 10.1.0.0 are specified in the NAT pool. Clients 1 and 2 are not being translated when they should be. The problem is with the NAT configuration on R1.

    22. The Fault Condition is related to which technology?

    BGP
    NAT
    IP NAT
    IPv4 OSPF Routing
    IPv4 OSPF Redistribution
    IPv6 OSPF Routing
    IPv4 layer 3 security

  10. Lima
    February 12th, 2020

    The answer for the NAT ticket is IP NAT and not NAT

  11. Anonymous
    February 15th, 2020

    can confirm it’s IP NAT

  12. Nat or IP NAT
    February 16th, 2020

    as i had 2 exams in last 10 days, there is no option for “Nat”
    there is just option “IP NAT” so dont worry!

  13. Anon
    February 16th, 2020

    Thanks for the input! :)

  14. liv
    February 17th, 2020

    I don’t know how you guys managed to pass this exam…sure some tickets are pretty obvious.
    Using the “cheat” suggested early “pings and show run” to isolate the faulty device on the network can help a lot, but there are some on which it is almost impossible to see what the problem is. Another problem would be the limited timeframe to complete the exam…at least another half hour would be necessary

  15. Mat
    February 17th, 2020

    I haven’t took TSHOOT exam. The answer is obviously simple.
    NAT on Serial 0/0/1 should be “ip nat outside”.

    Anyone took the real exam? how was the bug mentioned in Note?

  16. This explains
    February 18th, 2020

    I failed the exam because I remember there was a ticket that the client can ping the server. Wow!!

    Thank you guys!! You guys are awesome!!

  17. This explains
    February 20th, 2020

    @Mat this bug got me. I had a question In which I could ping the sever from the client, but obviously there was an issue with the question and I did not catch it.

  18. VTPv3
    February 21st, 2020

    @Steinmann regarding natting VLAN20 in the description of the topology has been given: R1 is also providing NAT translations between the inside (10.1.0.0/16 & 10.2.0.0/16) networks and
    outside (209.65.0.0/24) network

  19. Mat
    February 23rd, 2020

    @This explains
    I passed yesterday, and the bug hit me too.
    But I found the NAT misconfiguration. if I didn’t check this site I would’ve failed this question.