Home > Ticket 4 – NAT ACL

Ticket 4 – NAT ACL

May 3rd, 2018 in TSHOOT v2 Go to comments

Note: Although in our ticket we cannot ping the Web server from DSW1 (as the NAT configuration is wrong) but in the exam we can. This is a bug in the exam so be careful with it.

In this ticket we may see one of two cases below:

Case 1:

Configuration of R1

interface Serial0/0/1
ip address
ip nat outside
interface Serial0/0/0
ip address
ip nat outside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest

Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/0 delete the ip nat outside command and add the ip nat inside command.

Case 2:

Configuration of R1

interface Serial0/0/1
ip address
ip nat inside
interface Serial0/0/0
ip address
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest

Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/1 delete the ip nat inside command and add the ip nat outside command.

Comments (30) Comments
Comment pages
1 4 5 6 7 8 14 28
  1. Jim
    October 19th, 2014

    Selecting Ticket answers is enough @ exam – especially if you select the CORRECT answers! :D

  2. Kock
    November 2nd, 2014

    Do I have to allow FTP server can reach to internet too?

    permit to support both FTP server and PC Clients
    permit to support only PC client

  3. Johnny
    November 3rd, 2014

    As within most TSHOOT Tickets, it’s a matter of gaining just PC Client # 1 and 2 access to the @ (the external Web Server).
    Therefore, in principal this Ticket calls for just:
    permit to support just PC client access to the @
    However correct “Cisco answer” for this Ticket @ test is considered to be:
    permit which supports BOTH the FTP server AND the PC Clients at the same time.

  4. Kock
    November 8th, 2014

    Thank you for your guide.

  5. jhonny015
    November 12th, 2014

    Thank God I passed the exam today with 931.
    All tickets are valid !!!
    Prepare to fully understand the scenario of the exam.
    14 tickets as well prepared for the perfect scenario.
    Show the ball examination

  6. Whiz
    December 1st, 2014

    I labbed this question as explained by networktut using the subnet, but still couldn’t ping.
    The i tried this option using the 0.255.0255:
    on R1#
    (conf t)# ip access-list standard Nat_Traffic
    R1(config-std-nacl)# permit

    It worked and i can ping from client1 to the webserver.

    Correct answer is on
    (conf t)# ip access-list standard Nat_Traffic
    R1(config-std-nacl)# permit

  7. Jack
    December 1st, 2014

    Yop Whiz Whiz:

    But the mentioned solution @ top of this page ALSO Works:

    add to acl 1 permit ip !!!

    You need to open your eyes, in order to notice, that the THIRD OCTET (0) within the your mentioned (NOT pingable) statement above:


    doesn’t match the THIRD OCTET (1) within our Client 1 IP address: ( and because of that, our poor client can’t ping anything outside the local TSHOOT infrastructure!

    However, if you use:

    permit ip within the ACL – It works just so cool – right bro!?

  8. Rebecca
    December 3rd, 2014

    Hi guys,

    just cleared 960 thank you every one.


  9. Whiz Whiz
    December 7th, 2014

    Hi Rebeccca, you should check with examcollection dot com. That’s a very helpful website with valid dumbs.
    I took MSCA and MSCE cert exams last year 2013 and passed. Dumps from examcollection are very helpful. But you also need to read and not depend solely on dumbs. MCSE just like MCSA do not have Labs, just multiple choice questions including a few drag and drops.

    Hope that helps.

  10. Whiz Whiz
    December 7th, 2014

    Hi Jack, the explanation was very helpful….Thanks!
    I’m taken the Tshoot exam in less than 17 hours. :-)

  11. Jack
    December 8th, 2014

    Good Luck on exam Whiz Whiz!
    Go and knock out the bad Guy :-)

  12. Rajesh
    December 9th, 2014


    Any one can help me, how to identify the question whether it is L2 or L3

  13. Mike
    December 9th, 2014

    Identify if it’s a L2 Type question @ exam = Learn to master the CCNP Switching stuff and in addition some CCNA based Network fundamentals stuff.

    Identify if it’s a L3 Type question @ exam = Learn to master the CCNP Routing stuff.

    There’s most likely no easy shortcuts in order to learn theese prerequisite networking topics, when prepareing for the TSHOOT exam.

  14. Freddie Reina
    December 14th, 2014

    Thanks for sharing!


  15. Uzzi
    December 29th, 2014

    TSHOT exam need common sense and a guy who can hendle his nerves lol so only for dumers THERE IS NO DUMP know your stuff and you are good to go :)


  16. kanad
    January 18th, 2015

    guys need a bit of help….
    they say there will be 45 questions
    and 13 trouble tickets
    each trouble ticket contains 3 questions
    so does that means 13 trouble tickets = 39 questions?

  17. arxon
    January 20th, 2015


    1.When they say 45 question sthey mean around 45 in total (not exact number)
    2.Yes you are correct 13*3 =39 , few MCQ questions maybe with few DDs.

    Just follow khattak strategy to solve the tickes and you will be ok

    P.S giving my exam in 2 days

  18. Ravi..
    January 21st, 2015

    Jai Shree Ram!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Finally clear Tshoot with 1000/1000 and completed CCNP…………………
    2xMCQ, 1xDD and 13 TTs except DHCP helper and wrong eigrp AS.
    It was so nervousness before exam but while attempting feel quit better.
    Thanks to all guys who advised. Lot of thanks for Networktut team, you guys are rock.
    Just read and memorize Khatak strategy and go ahead. Even With khatak strategy you can complete the exam within 30 mnts by running “ipconfig and ping” command at clients.

    It’s so easy…..best of luck for all who are going for exam.

  19. Anonymous
    January 26th, 2015

    Do i need to configure every ticket in real exam!? or just check the problem? please help me im taking the exam on thursday.. thanks

  20. asd
    January 27th, 2015

    Can someone give me the names of each trouble ticket in packet tracer starting 1 – 15

  21. Olamide
    February 2nd, 2015

    Cleared my T-Shoot on the 8th Jan 2015, Thanks to dis website and Khatak Strategy. Am not stopping yet, Unto CCIE R&S. i need materials and advice from fellow networkers.

  22. Ziyan
    February 7th, 2015

    Hi Guys
    Can anyone clear this to me. I completed CCNP Route & Switch in 2013, however TSHOOT is pending. Is the exam now is 642-832 or 300-135.
    Also, i would be really thankful if someone can share the latest VCE player .exe file and the dumps that works. Please send it to ziyanakthar@aol.com. I would be really thankful to you all.

  23. sa
    February 26th, 2015

    anyone doing tshoot this month? anything new?

  24. Abdul Nasir
    April 6th, 2015

    Hi network tut
    can we use Tracert or traceroute on real exam ?

  25. Mohammad
    April 18th, 2015

    So, how come we can ping from ASW1 and ASW2? It seems they are not using, they are using vlan 200, and yet the ping is successful?

  26. Kev
    July 10th, 2015

    you can’t, you should do it from DSW1

  27. Goel
    July 16th, 2015


    Is there any major difference between Between Old Tshoot and new version of the Exam…

    Does the Scenario will remains the same or it will diff in new Syllabus


  28. Anonymous
    July 20th, 2015

    Dont bring RELIGION into THIS!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  29. Tank
    July 31st, 2015

    So, how do you solve Ticket 4? (without looking up answer) This one really stumped me.

  30. bs
    August 2nd, 2015


    You could try Solving TT4 e.g. like this:

    First we’ll check connectivity on Client 1 towards the external web server:

    ping :-(
    ping :-(
    ping :-))

    OK, now let’s move to R1 to see what’s going on there:

    R1#show ip route bgp
    B [20/0] via, 00:01:34 – looks good :-))

    R1#sh ip route
    Routing entry for
    Known via “ospf 1”, distance 110, metric 213, type intra area
    Last update from on Serial0/0/0.12, 00:01:31 ago
    Routing Descriptor Blocks:
    *, from, 00:01:31 ago, via Serial0/0/0.12 – Also fine! :-))
    Route metric is 213, traffic share count is 1

    OK, Now let’s check if the NAT works ok on R1:

    R1#show ip nat translations

    Oupps, it seems there’s NO to 209.65.200.xxx (overload) Translations here :-(

    Therefore let’s check if the NAT ACL on R1 is ok?

    R1#sh acc Nat_Traffic
    Standard IP access list Nat_Traffic
    permit (10 match(es))

    Hmm – Also here there’s NO user IP prefix: permit entry within our Nat_Traffic std ACL :-(

    (Let’s double check this within R1 running-config, to be quite sure about this) –

    So here we notice, that we need to:

    Add the command: “permit to the Nat_Traffic std access-list on R1

    to solve the TT4 NAT Problem.

    Hope this helps –

Comment pages
1 4 5 6 7 8 14 28