You need to configure Network Address Translation (NAT) to allow users access to the Internet. There are 62
private hosts that need Internet access using the private network 10.4.3.64 /26, and all of them will be
translated into the public IP address of the serial interface.
Which of the following NAT configurations will allow all 62 hosts to have simultaneous Internet access?
A.
Router(config)# ip nat pool POOLNAME 10.4.3.64 /26
Router(config)# interface s0
Router(config-if)# ip nat inside source 1 pool POOLNAME overload
B.
Router(config)# access-list 1 permit 10.4.3.64 0.0.0.127
Router(config)# interface s0/0
Router(config-if)# ip nat source list 1 pool POOLNAME overload
C.
Router(config)# access-list 1 permit 10.4.3.64 /26
Router(config)# ip nat inside source list 1 interface serial 0
D.
Router(config)# access-list 1 permit 10.4.3.64 0.0.0.63
Router(config)# ip nat inside source list 1 interface serial 0 overload
Explanation:
You should execute the following commands:
Router(config)# access-list 1 permit 10.4.3.64 0.0.0.63
Router(config)# ip nat inside source list 1 interface serial 0 overload
A successful NAT configuration requires the creation of an access control list (ACL) to identify the private IP
addresses that will be translated, as well as an ip nat inside source command to dictate what public IP
addresses will be used for translation. Cisco uses the term “inside local” for IP addresses prior to translation,
and “inside global” for public IP addresses after translation.
The access-list 1 permit 10.4.3.64 0.0.0.63 command correctly identifies the private host network of
10.4.3.64 /26, consisting of 62 hosts.
The ip nat command is broken down as follows:
inside: indicates that packets received on the inside (private) interface will be translated
list 1: specifies that access list 1 will be used to determine which private IP addresses will be translated
interface serial 0: specifies that NAT will translate private IP addresses into the IP address of the serial 0
interface
overload: allows NAT to reuse the IP address of the serial interface for all private IP addresses, providing
them simultaneous access to the Internet
The correct wildcard mask is critical to ensuring that the access list allows translation of all LAN devices. For
example, if the private LAN used the 192.168.9.0/24 network and 167 devices were present in the network, the
correct wildcard mask would be 0.0.0.255. If you used an incorrect wildcard mask, such as 0.0.0.3, only the
192.168.9.0/30 network would be allowed translation (only the IP addresses 192.18.9.1 and 192.168.19.2.) Of
the 167 devices, 165 would not receive translation.
The overload keyword is required in this configuration, since there are more private IP addresses (62) than
there are public IP addresses (one). Overload activates NAT overloading, often called Port Address Translation
(PAT), and assigns each private IP address a unique, dynamic source port in router memory to track
connections. If the overload keyword were not included in the NAT configuration, only one private host could
access the Internet at a time.
An alternate solution would involve the creation of a pool of public IP addresses on the NAT router, and
applying the access control list to the NAT pool:
Router(config)# ip nat pool NATPOOL 201.52.4.17 201.52.4.22 netmask 255.255.255.248
Router(config)# ip nat inside source list 1 pool NATPOOL overload
The first command creates a NAT pool with six public IP addresses on subnet 201.52.4.16/29, which will be
used for translation. The second command then ties access list 1 to the NAT pool, and specifies overload so
that the six public addresses can be reused as often as necessary, allowing all of the private IP addresses
simultaneous Internet access.
In both of these examples, dynamic mapping is used. Without dynamic mapping, it is not possible for
computers from outside the network to establish a connection with computers inside the network unless a static
mapping between the private IP address and the public IP address is established on the NAT device.
A common alternative approach is to use public IP addresses in the DMZ rather than private IP addresses, and
to place any computers than must be accessed from outside the network in the DMZ. In this case, NAT is not
required between the DMZ devices and the Internet. Even if public IP addresses are used in the DMZ, if the
addresses undergo NAT translation, connections from outside the network will not be possible.
When NAT is used to translate a public IP address (or addresses) to private IP addresses, the NAT process is
ONLY implemented on the router that connects the network to the Internet. This is because private IP
addresses are not routable to the Internet, and translation must occur where the network connects to the
Internet.The following command sets are incorrect because they both involve the creation of a NAT pool:
Router(config)# ip nat pool POOLNAME 10.4.3.64 /26
Router(config)# interface s0
Router(config-if)# ip nat inside source 1 pool POOLNAME overload
and
Router(config)# access-list 1 permit 10.4.3.64 0.0.0.127
Router(config)# interface s0/0
Router(config-if)# ip nat source list 1 pool POOLNAME overload
The scenario states you must use the IP address of the serial interface as the public address. Also, the ip nat
inside source command is configured in global configuration mode, not interface configuration mode. Finally,
access control lists require inverse masks (such as 0.0.0.63). CIDR notation (as in POOLNAME 10.4.3.64 /26)
is not allowed.
The following command set is incorrect because access control lists require inverse masks (such as 0.0.0.63)
and CIDR notation (/26) is not allowed:
Router(config)# access-list 1 permit 10.4.3.64 /26
Router(config)# ip nat inside source list 1 interface serial 0
Also, the ip nat inside source command is configured in global configuration mode, not interface configuration
mode.
Objective:
Infrastructure Services
Sub-Objective:
Configure, verify, and troubleshoot inside source NAT