Home > Ticket 4 – NAT ACL

Ticket 4 – NAT ACL

May 3rd, 2018 in TSHOOT v2 Go to comments

Note: Although in our ticket we cannot ping the Web server from DSW1 (as the NAT configuration is wrong) but in the exam we can. This is a bug in the exam so be careful with it.

Configuration of R1

!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat inside
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest

Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/1 delete the ip nat inside command and add the ip nat outside command.

Comments (50) Comments
Comment pages
1 2 3 8 28
  1. Anonymous
    September 4th, 2010

    R4, R3, R2 can ping 209.65.200.226

  2. Anonymous
    September 8th, 2010

    config fromTT

    ip nat inside source list nat_pool interface Serial1/1 overload .

    ip access-list standard nat_pool
    permit 10.1.0.0
    permit 10.2.0.0 (fail)

  3. mema
    September 8th, 2010

    @anonymous,
    what do you mean by “permit 10.2.0.0 (fail)”? appears this statement in the ACL from TT?

  4. kk
    September 8th, 2010

    permit 10.2.0.0 is n t appears in this statement in the ACL

  5. nick
    October 11th, 2010

    ya… it isnt there.. and when we put the list there it works fine…
    so y do u get it lailed??

  6. DavidM
    October 12th, 2010

    you guys need to learn how to type english, WTF, how can i cheat without you guys knowing english

  7. CamHarkey
    October 12th, 2010

    wow i still don’t get this, WTF, i think i am just retarded, someone explain to be 10.2.0.0 fail i am a failure :(

  8. terc
    October 13th, 2010

    I think they’re pointing out that in the TT, they failed to put the permit 10.2.0.0 that’s why we need to choose the answer that will enter the said command.

  9. Manju
    October 14th, 2010

    is that permit 10.2.0.0 0.0.255.255 or permit 10.2.1.0 0.0.0.255 can any one reply ?

  10. kk
    October 14th, 2010

    permit 10.2.0.0 0.0.255.255 is not appear in the ip access-list standard nat_pool

  11. Davidlin
    October 19th, 2010

    i try to add permit 10.2.0.0 0.0.255.255 to the access-list 30 but it still fail to ping web server before i delete deny 10.2.1.0 0.0.0.255 why?

  12. SeanC
    October 20th, 2010

    This ticket is dumb and is below me.

  13. JACK
    October 20th, 2010

    啊啊啊啊啊 啊

  14. Tictac
    October 24th, 2010

    I think the access-list looks like this

    access-list 1 permit 10.1.0.0 0.0.255.255
    (implit deny)

    thereby only the routers are allowed through the NAT translation, but adding the
    access-list 1 permit 10.2.0.0 0.0.255.255
    will permit the clients and the ftp server.

    All tho i would make the list like this to permit everything
    access-list 1 permit 10.1.0.0 0.0.255.255
    access-list 1 permit 10.2.0.0 0.0.255.255
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 1 deny any

    I dont know why network tut first say “Answer:add to acl 1 permit ip 10.2.1.0 0.0.0.255”
    The in ans3 says
    “Ans3) under NAT access list, enter the command permit 10.2.0.0 0.0.255.255”

  15. mml
    October 25th, 2010

    regarding to
    @tictac question why ur answers are deferent networktut can u explain thank u

  16. mml
    November 4th, 2010

    to those who passed the exam congrats and i am really confused cuz on cisco site they said there are 35-40 questions in the exam and all who passed they took about 12 tt, 3-4 mcq, and 1-2 DnD so here is where i get confused this all together not more than 20 q ,,is there another lab or just this one big topology for TT
    so plz some one post about this and which dump is valid and the link for it
    thank u so much guys this site is very helpful

  17. Buddy
    November 4th, 2010

    Dont fet confused man. So far the exam comprises of 12 tt and 4mcq and 1-2 dnd.
    just overlook what was mwntioned before

  18. cisco guru
    November 5th, 2010

    @mml confised because you are dumb as shite

    take it with all this god willing shit , half you lot are cheating Muslims.. read the Koran brother and you will see that the profit said ” at the point of stealing, cheating the Muslim is no longer a believer”

    you have just become a infidel for the sake of a cert. well done

  19. sisko
    November 5th, 2010

    @ cisco guru: i urge u to keep focus on what this forum is meant for so everyone gets benefited. plz avoid religious and political comments. Thnx

  20. Naveed
    November 8th, 2010

    @CCIE interested people
    This is an open invitation for the serious people about CCIE. You are advised to send an email to the below mentioned address for enrolling your willingness. We’ll be utilizing the concept of 1+1 = 11 by putting our minds together to study/practice the right thing. Here it doesn’t require a mention for a CCIE candidate but let me clear one thing, ‘THERE IS NO SHORTCUT TO CCIE’, so any body looking for shortcuts, please accept my advance excuse. However, we’ll try to do our best to find out the fastest way and most effective material of practice/study.
    Kindly, enroll your willingness at following email address. Also if you have any question, send to the same address.
    ask_ccie@yahoo.com

    @networktut
    I wish you could have a managed discussion forum for CCIE as you have for CCNP

  21. Peter
    November 12th, 2010

    Pass today 642-832 now NP next friday
    CCDP hopefully

  22. naggi
    December 4th, 2010

    hi guys how do i know this lay2 or la3 topology is related to this problems plz i need u help guys

  23. naggi
    December 5th, 2010

    hi guys somebody help i am tr to do the demo but there is only 4 tt qu and all releated to l3 topology plz help is there more or just this is it
    and how i know this q releated to which topology my cordial thanks to u guys

  24. CCNP Aspirant
    December 6th, 2010

    Hey Guys. I must say that this blog is truely awesome.I had no idea how to take TSHOOT exam but now things are crystal clear to me. I am planning to take my exam next week, so will appreciate if anyone can provide me for GNS3 topology of the real scenario and its config.

    Congratualtions to all of you who cracked this exam :)

  25. David
    December 18th, 2010

    @networktut

    In the config, i think the IP of serial0/0/0/1 is 209.65.200.225, instead of 209.65.200.224:

    interface serial0/0/0/1
    ip address 209.65.200.224 255.255.255.252
    ip nat outside

  26. matrix
    December 18th, 2010

    @ David,

    Yea u r right. Its just typo mistake.

  27. Gandmaroo of cisco_guru
    December 18th, 2010

    @ cisco guru

    chootya, lund dharya, madarchod, randi ke bacche, bhadwe ki aulaad kahin ja ke aur apni maa chuda… yahan aake apni ma ko randi mat banayiu… madarchod.

  28. Kaibigan
    December 19th, 2010

    @networktut

    ur correct BUT:

    i think better to use access-list 1 permit 10.2.0.0 0.0.255.255 than
    access-list 1 permit 10.2.1.0 0.0.0.255

    to fully justify the exact answer…

  29. kumar
    December 26th, 2010

    Hi,
    In exam the permit 10.2.0.0 is already configured correctly.

    p access-list standard nat_pool
    permit 10.1.0.0
    permit 10.2.0.0 ———>It is preconfigured so, whats the problem
    !
    interface serial0/0/0/1
    ip address 209.65.200.224 255.255.255.252
    ip nat outside
    !
    interface Serial0/0/0/0.12
    ip address 10.1.1.1 255.255.255.252
    ip nat inside
    ip ospf message-digest-key 1 md5 TSHOOT
    ip ospf authentication message-digest

  30. David
    December 27th, 2010

    @kumar,

    Maybe its a typo, IP address of s0/0/0/1 should be ‘209.65.200.225’ instead of ‘209.65.200.224’

  31. raj
    December 27th, 2010

    @kumar
    I have read the your statement in all tickets, how can you be so confused?? ok have you passed the test or you have some problem?

  32. akhalaf
    December 28th, 2010

    Hi guys
    good evening….
    Please if someone has the GNS3 TOPOLOGY, upload it to let all of use practice very well before booking to exam

  33. load
    January 29th, 2011

    @kumar
    “Hi,
    In exam the permit 10.2.0.0 is already configured correctly.
    p access-list standard nat_pool
    permit 10.1.0.0
    permit 10.2.0.0 ———>It is preconfigured so, whats the problem
    !
    interface serial0/0/0/1
    ip address 209.65.200.224 255.255.255.252
    ip nat outside”

    In the real exam the ip address of serial 0/0/1 is 209.65.200.224? the is the network address…

    209.65.200.224 – Network address
    209.65.200.225 – Available address
    209.65.200.226 – Available address
    209.65.200.227 – Broadcast address

  34. Thanks in Advance
    February 1st, 2011

    Please someone answer :
    R1(conf)# int ser0/0/0/0.12
    (conf-if)# ip nat inside

    R1(conf)# ip access-list stand name1
    permit 192.168.1.0

    R1(conf)# ip nat inside source list name1 ser 1/0 overload

    Now if any packet with source other than 192.168.1.0 is received by interface s0/0/0/0.12 , will it be routed without natting or it will be discarded since ACL name1 denies it?

  35. Egypt in my HEART
    February 3rd, 2011

    @all

    ip nat inside source list nat_pool interface s0/0/0/1 overload

    ip access-list standard nat_pool
    permit 10.1.0.0
    permit 10.2.0.0 ( should be here to permit this subnet to be NATted when any traffic come with this subnet as a source IP to be able to exchange traffic with the Web Server trough the ISP without this permit command it will not be able to get a real IP through NAT to be routed for outside and get a reply back from it)
    !
    interface serial0/0/0/1
    ip address 209.65.200.224 255.255.255.252 “this is a network ID please do not get confused “==> ip address should be 209.65.200.225 255.255.255.252
    ip nat outside
    !
    interface Serial0/0/0/0.12
    ip address 10.1.1.1 255.255.255.252
    ip nat inside

    @ Thanks in advance

    this will be according to the routing table contents if it has an entry with the “other network” or has a default route it will be routed if not it will be discarded as the access-list has “deny any any” by default in the end of its lines

    @ Kumar

    did you take the test? please let us know if it is for real in the exam permit 10.2.0.0 already exist as i will write my paper next saturday and i really do not need any surprises

    Thank you
    I hope this helps if it right….

  36. Nirmala
    February 9th, 2011

    Hi everyone! I’m going to take the exam next week. Guys please let me know if there is anything changed or updated.

    Are these questions still valid?

    Please help me……!

    Thank you

  37. Nirmala
    February 19th, 2011

    I did the exam yesterday and got 1000……………..!

    Thanks for everybody here supporting me for this achievement.

    All the questions in the exam are the things appear here. Nothing has been changed.

    But i would like to give an important advice for the people who wish to take the exam soon.

    Please read the comments in following link by Geno and Lisa. Those instructions were really

    helpful to me…!

    https://www.networktut.com/tshoot-ticket-1

  38. AhMAAAAADD
    March 2nd, 2011

    Dear All;
    just passed Tshoot,& um CCNP.Got 1000 ;i ve got the following:
    4 MCQ
    NO Drag & Drop.
    12 TT (1 new TT,the old TT with wrong ip 209.56.200.241 has been removed)all other TT are VALID.
    Thanks Networktut for charing knowledge.

  39. Star2010
    March 6th, 2011

    Ahmad,
    congrats, could you please share with the forum the new TT that you had on your exam?

    Thanks

  40. strikeforce betting
    March 23rd, 2011

    Awsome article !! What blog platform do you use on your www ?

  41. DEE
    April 11th, 2011

    AhMAAAAADD,

    I’m taking the test this weekend. Did the test goes in order just like the trouble tick in this forum?

  42. Confused
    April 11th, 2011

    so is the correct answer on this question:

    add the command permit 10.2.0.0 to the nat_pool access list??

    and NOT:

    add to acl 1 permit ip 10.2.1.0 0.0.0.255

    correct?

  43. Anonymous
    April 14th, 2011

    Has anyone seen the TSHOOT 642-832 Dump for Testinside? It has not Trouble tickets questions. Something is really wrong there…

  44. Anonymous
    April 16th, 2011

    The 642-832 TSHOOT Topology made available by cisco on the PDF is not the same as their online Topology demo. Could someone please confirm the actually topology used in the real exam?

  45. Anonymous
    April 22nd, 2011

    Can anybody give me an example of exactly how the TT Questions are asked i the exam?

  46. cris
    April 26th, 2011

    guys i failed the exam last week i made a comment on the share ur experience also , guys i am little bit confused with this ticket cus the nat (permit statement) was missing in two TT i met in one i thought it was the access list cus it had a deny statement in the end blocking 10.2.0.0 n/W and in the mean time the nat acl also was missing !!!! guys pls guide me in this cus i am reseating for the exam end of the month

    and please explain me about commment also its confusing

    @kumar
    “Hi,
    In exam the permit 10.2.0.0 is already configured correctly.
    p access-list standard nat_pool
    permit 10.1.0.0
    permit 10.2.0.0 ———>It is preconfigured so, whats the problem
    !
    interface serial0/0/0/1
    ip address 209.65.200.224 255.255.255.252
    ip nat outside”
    In the real exam the ip address of serial 0/0/1 is 209.65.200.224? the is the network address…
    209.65.200.224 – Network address
    209.65.200.225 – Available address
    209.65.200.226 – Available address
    209.65.200.227 – Broadcast address

  47. Romok
    April 27th, 2011

    @cris,
    Then why did’nt u correct the ip address from network address (209.65.200.224) to .225 ?

  48. Pocbucibucibu
    April 27th, 2011

    If you add only “permit 10.2.1.0” the assumed wildcard will be 0.0.0.0 …this will cause nat translation only for ip sources of 10.2.1.0/32.—this is a ccna issue.
    I’m wondering how many of you have read at least one time a certification guide or a book for this exam because I’ve seen people asking crazy questions or waiting for a confirmation instead of just doing a little research.
    Respect for those who make efforts to prepare not just memorize topics…and for the rest: try to learn the basics, the certificate it’s not really important in real life! The knowledge it’s what really matters!!

  49. cris
    April 29th, 2011

    Romak!!! sorry for the late respond the ip address were correct in the ticket, but i am trying to figure out where i went wrong in this 2 tickets !!!! in R1 if its blocked by and access group for the Network 10.1.0.0 then it cant ping the wan interface, in my case in both the tickets i met i could ping the wan and n/w 10.2.0.0 was not permitted in the nat acl !! so where can i go wrong !!!

  50. Anonymous
    April 30th, 2011

    Does the CCNP 642-832 TSHOOT exam ROUTERS and SWITCHES resetS themselves, or do we have logout of all DEVICES after every Trouble Ticket?

Comment pages
1 2 3 8 28