Home > Ticket 4 – NAT ACL

Ticket 4 – NAT ACL

May 3rd, 2018 in TSHOOT v2 Go to comments

Note: Although in our ticket we cannot ping the Web server from DSW1 (as the NAT configuration is wrong) but in the exam we can. This is a bug in the exam so be careful with it.

Configuration of R1

interface Serial0/0/1
ip address
ip nat inside
interface Serial0/0/0
ip address
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest

Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/1 delete the ip nat inside command and add the ip nat outside command.

Comments (30) Comments
Comment pages
1 6 7 8 28
  1. blá
    January 17th, 2019

    Problem is the NAT ACL:

    ip access-list standard Nat_Traffic


  2. Anonymous
    January 20th, 2019

    To solve this…i used following steps.
    1.Ping from R1 to Public IP
    2. Ping from R1 to Client 1

    If both works , check the ACL.

    Added the in the Nat ACL.

  3. Anonymous
    January 21st, 2019

    IP NAT

  4. potato
    January 22nd, 2019


    Sat the exam last week one of the tickets had R1s bgp interface (outside) and ospf interface (inside) configured with ip nat outside.

  5. Dany1
    February 18th, 2019

    One way to choose between BGP issue and NAT issue, observed by me at GNS3
    1. BGP Issue, that no route about in R1 RIB.
    If you ping from Switch or Router, message should be
    “Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

    That is sure, because from my VPCS which i simulate PC in GNS3, message is even simpler and intuitive “(ICMP type:3, code:1, Destination host unreachable)”
    2. NAT issue (or other staff, but clearly not route missing in RIB) the message is like that
    “Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
    Success rate is 0 percent (0/5”
    According to docs, that means:
    Each period indicates the network server timed out while waiting for a reply.
    I hope it’s help.

  6. pak
    February 23rd, 2019

    Not able to get into configuration mode (config t) on practice tickets ….Please someone advise

  7. Dany 1
    February 24th, 2019

    For Pak: if you want to enter in config mode in simulator, you cannot. The same as in exam.
    THat is the idea to check your knowledge and only way is to choose Equipment. At which level is issue and what is(are) commands to solve that problem.
    If you want to have a configurable simulator,create yourself in GNS3, for example.
    You can run show running-config on each router, switch from tickets simulators. Is also very advisable to learn those three configuration.

  8. Anonymous
    March 17th, 2019


    in your ticket sim

    ping – not reacheable
    trace – shows hops and finally gets to the IP

    how come?

  9. Anonymous
    March 17th, 2019


    in your ticket sim

    from DSW1

    ping – not reacheable
    trace – shows hops and finally gets to the IP

    how come?

  10. Still confused
    March 20th, 2019

    Obviously it seems like an ACL issue since the 10.2.x.x subnet is not explicitly permitted in the NAT ACL. But if R1s local interface is configured as NAT outside or R1s internet facing port is configured as NAT inside, the NAT translations won’t be performed correctly and still will have no connectivity. Still unsure of the correct answer here.

    March 31st, 2019

    Agreed about the missing ACL rule being the issue here.
    S0/0/1 is ip NAT outside while the subinterface S0/0/0.12 is identified as nat inside. Translations occur after permitting in the NAT ACL.

  12. mabangis
    May 29th, 2019

    i just passed the exam in SG, got a 1000/1000.
    Not sure if there was a new EIGRP ticket. But based from my observation, Client unable to ping server but DSW1 was able to ping If you do a source ping on DSW1 from the ip address of the client, it will fail. Its the IP NAT inside on the WAN interface of R1. Deleted IP NAT inside and chose IP NAT outside. All MCQ questions from April are still valid. Just follow SAMs technique and you will pass the exam. Purchase the premium account here in networktut as it is worth it. Ill see you Cisco after 3 years. Thank you so much for all the post here.

  13. taco salad
    May 30th, 2019

    So is the adding of the network in the NAT ACL not in the exam? It’s just correcting ip nat outside on the ISP facing serial interface? or are both options possible to see?

  14. Clara
    June 13th, 2019

    I got it. It is the NAT_traffic ACL not the access list 30.

  15. Anonymous
    July 17th, 2019

    I have seen a few comments in regards to narrowing down how to find out if its NAT or something else.

    Ping from client 1. does it reach the webserver? if not, ping from another device (such as DSW1).
    Ping from DSW1. does it reach the webserver? if yes, its probably not BGP and something else, such as an access list (if other IP’s are pinging, and client is not, chances are something is blocking the ping).

    Verify the nat configs, and bam, you see the access-list. The 10.2.x.x network is not in the statement.

  16. perdido
    July 22nd, 2019

    If this is the case, i am wondering how ping from ASW1 is successful towards…

  17. ADAM
    August 3rd, 2019

    Passed exam with 8xxx Mark’s, guys exams is changed.

  18. Lexxa
    August 4th, 2019

    – R1
    – IP NAT
    – Under the ip Access-list standart nat_trafic configuration enter the “Permit” command.

    Is this now the right answer?????

  19. Dom
    August 5th, 2019

    @ADAM, how about the Troubleshooting tickets and the simlet are they still the same?. Thank you.

  20. pj
    August 18th, 2019


    No. It seems the ticket here relates to their being 2 inside NAT interfaces. the ticket in PT (and indeed, this page) has an ACL entry missing in R1

  21. Akl
    August 28th, 2019

    I dont know if is an error but I did today my Exam
    and I can ping from all devices but not from ASW1, i cant see any error on ASW1, i really was scared cause I couldnt find my error, and the only thing was ip nat inside on interface Serial0/0/1, so I chose that option and I pass.

  22. @lexxa
    August 30th, 2019

    in PT, it is that – but in the sim on here, it is R1, IP NAT, ip nat outside on the serial0/0/1 interface.

    for me, a good thing to remember is to check for five things that need to be correct on r1:
    serial 0/0/1 has ip nat inside
    ospf authentication is there
    bgp has the right neighbor for ebgp
    ip nat inside source
    and permit is there.


  23. Andy1212
    September 6th, 2019

    About the NAT tt on actual test is it :
    – R1
    – IP NAT
    – Under the ip Access-list standart nat_trafic configuration enter the “Permit” command


    R1, IP NAT, ip nat outside on the serial0/0/1 interface………. like it is on the premium practice test?

    i take my test next week.

  24. Anonymous
    September 10th, 2019

    Is the answer to this question the access list suggestion above or applying ip nat outside. Can anyone confirm?

    September 23rd, 2019

    Hi Guys. If you want to download freedump 300-135 go in my link. Last updated 08/08/2019

    htt ps : //w ww. youtu be. com/watch?v= yzG7EKVVz_0

  26. Anonymous
    October 23rd, 2019

    R1, IP NAT, ip nat outside on the s0/0/1 interface, because the network is already added.

  27. Anon Pass
    October 31st, 2019

    Today I got the version where both serial interfaces on R1 were ‘ip nat inside’ and the solution was to change the ISP/WAN interface to ‘ip nat outside’

  28. Ibe
    November 6th, 2019

    I passed the exam today 942/1000. I finished my exam within an hour.
    Premium is valid. My advice, try to understand the tickets and MCQ before going.

  29. Tehoty
    November 16th, 2019

    im confused. in some sources it says the answer to number 2 question is ‘NAT’, in others it is ‘IP NAT’. which is which?

  30. Dmytro
    November 20th, 2019

    Does anyone know what is a question in this ticket?

Comment pages
1 6 7 8 28