Ticket 4 – NAT ACL
Note: Although in our ticket we cannot ping the Web server from DSW1 (as the NAT configuration is wrong) but in the exam we can. This is a bug in the exam so be careful with it.
In this ticket we may see one of two cases below:
Case 1:
Configuration of R1
!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat outside
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip nat outside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest
Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/0 delete the ip nat outside command and add the ip nat inside command.
Case 2:
Configuration of R1
!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat inside
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest
Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/1 delete the ip nat inside command and add the ip nat outside command.
It seems we have a 3rd case here: the missing permit 10.2.0.0 statement.
The answers in this case should be:
R1
ACL
and Permit 10.2.0.0 0.0.255.255
Please any one sure. i have exam tomorrow:
int the TICKET 4: NAT ACL
which answer is right i Q2: is it NAT OR IP NAT
The PacketTracer by Buddy has R1 BGP interface and OSFP interface are configured correctly, Ip nat outside and ip nat inside respectively. In order for Client1 to ping WEB, I tried adding permit 10.2.0.0 0.0.255.255 under access-list Nat_traffic and it worked!
But with NetworkTut simulator, Se0/0/1 has ip nat inside. which needs to be modified to be “ip nat outside”
This came up for me on exam. There was ip nat inside on the WAN interface which is obviously wrong. I don’t think you would need to add permit 10.2.0.0 0.0.255.255 to the NAT ACL, as the FTP server in VLAN 20 don’t need to surf the web. Both the clients are in VLAN 10.
According to the non-premium networktut for ip nat inside in serial 0/0/1 in R1:
Answer) Under interface Serial0/0/1 delete the ip nat inside command and add the ip nat outside command.
According the premium networktut for ip nat inside in serial 0/0/1 in R1:
Answer) Under the interface serial 0/0/1 configuration enter the “ip nat outside” command
Which option would be correct?
The second Q is
The Fault Condition is related to which -=_technology_=-?
Technology is – NAT. I think. Doesn’t exist technology IP NAT.
NAT or IP NAT finally ?
I think that networktut chould change the subject of ticket 4 cause is confusing readers.
Why dont you write something like (NAT Outside/Inside/NAT ACL-3 cases)?
From what in understand there are 2 possible cases of NAT inside/Outside and another one completly different related to NAT ACL
Case 1. WAN interface as NAT inside and should be NAT outside
Case 2. LAN interface as NAT oustide and should be NAT inside
Case 3. NAT ACL is missing 10.2.2.0 network
21. Ticket 2 IP NAT
TROUBLE TICKET STATEMENT:
The implementation group has been using the test bed to do a ‘proof-of-concept’ that required both client 1 and client 2 to access the Web Server at 209.65.200.241. After several changed to interface status, network addressing, routing schemes and layer 2 connectivity, at trouble ticket has been opened indicating that client 1 cannot ping the 209.65.200.241 (internet Server).
The following information needs yourself show run:
Client 1 and Client 2 are not able to reach the WebServer at 209.65.200.241.
Initial troubleshooting shows
that DSW1, DSW2 and all the routers are able to reach the WebServer.
Configuration on R1
ip nat inside source list nat_pool interface s0/0/1 overload
ip access-list standard nat_pool
permit 10.1.0.0
permit 10.2.0.0
!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat inside
!
interface Serial0/0/0.12
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest
On Which device is the fault condition located?
R1
R2
R3
R4
DSW1
DSW2
ASW1
Question was not answered
Explanation:
Clients 1 and 2 belong in the 10.2.0.0 subnet, as if you observe the NAT configuration you will notice that only 10.1.0.0 are specified in the NAT pool. Clients 1 and 2 are not being translated when they should be. The problem is with the NAT configuration on R1.
22. The Fault Condition is related to which technology?
BGP
NAT
IP NAT
IPv4 OSPF Routing
IPv4 OSPF Redistribution
IPv6 OSPF Routing
IPv4 layer 3 security
The answer for the NAT ticket is IP NAT and not NAT
can confirm it’s IP NAT
as i had 2 exams in last 10 days, there is no option for “Nat”
there is just option “IP NAT” so dont worry!
Thanks for the input! :)
I don’t know how you guys managed to pass this exam…sure some tickets are pretty obvious.
Using the “cheat” suggested early “pings and show run” to isolate the faulty device on the network can help a lot, but there are some on which it is almost impossible to see what the problem is. Another problem would be the limited timeframe to complete the exam…at least another half hour would be necessary
I haven’t took TSHOOT exam. The answer is obviously simple.
NAT on Serial 0/0/1 should be “ip nat outside”.
Anyone took the real exam? how was the bug mentioned in Note?
I failed the exam because I remember there was a ticket that the client can ping the server. Wow!!
Thank you guys!! You guys are awesome!!
@Mat this bug got me. I had a question In which I could ping the sever from the client, but obviously there was an issue with the question and I did not catch it.
@Steinmann regarding natting VLAN20 in the description of the topology has been given: R1 is also providing NAT translations between the inside (10.1.0.0/16 & 10.2.0.0/16) networks and
outside (209.65.0.0/24) network
@This explains
I passed yesterday, and the bug hit me too.
But I found the NAT misconfiguration. if I didn’t check this site I would’ve failed this question.