You are configuring dynamic PAT on a Cisco ASA 5500 using the CLI. The ASA is running software version
8.3.
Which of the following IP addresses must be configured within a network object or object group? (Select the
best answer.)
A.
inside global
B.
outside global
C.
inside local
D.
outside local
Explanation:
Of the available options, an inside local address must be configured within a network object or object group if
you are configuring dynamic Port Address Translation (PAT) on a Cisco Adaptive Security Appliance (ASA)
5500 using the commandline interface (CLI) if the ASA is running software version 8.3. A local address is a
source or destination IP address as seen from the perspective of a host on the inside network.
On a Cisco ASA, a network object is a data structure that is used in place of inline IP information. You might
use a network object in place of configuring IP addresses, subnet masks, protocols, and port numbers if you
must configure that same information in multiple places. If the information you configure within the object ever
changes, you then need only modify the single object instead of locating and modifying each instance of the
inline IP information.
An object group is simply a group of network objects. By grouping network objects, you can enable the use of a
single application control engine (ACE) to make requests of multiple devices.
An inside local address is an IP address that represents an internal host to the inside network. Inside local
addresses are typically private IP addresses defined by Request for Comments (RFC) 1918. When a NAT
router receives a packet from a local host destined for the Internet, the router changes the inside local address
to an inside global address and forwards the packet to its destination.
You can configure an inside global address inline or as part of a network object or object group on an ASA
running software version 8.3. An inside global address is an IP address that represents an internal host to the
outside network. Inside global addresses are typically public IP addresses assigned by the administrator of the
outside network.
You would not configure an outside global address in this scenario. An outside global address is an IP address
that represents an external host to the outside network. Outside global addresses are typically public IP
addresses assigned to an Internet host by the host’s operator. The outside global address is usually the
address registered with the Domain Name System (DNS) server that maps a host’s public IP address to a
friendly name, such as www.example.com.You are not likely to configure an outside local address in this
scenario. An outside local address is an IP address that represents an external host to the inside network. The
outside local address is often the same as the outside global address, particularly when inside hosts attempt to
access resources on the Internet. However, in some configurations, it is necessary to configure a NAT
translation that allows a local address on the internal network to identify an outside host.Cisco: Cisco ASA 5500 Series Configuration Guide Using the CLI, 8.3: Configuring Dynamic PAT (Hide)
“Of the available options, an inside local address must be configured within a network object or object group if
you are configuring dynamic Port Address Translation (PAT) on a Cisco Adaptive Security Appliance (ASA)
5500 using the commandline interface (CLI) if the ASA is running software version 8.3. A local address is a
source or destination IP address as seen from the perspective of a host on the inside network.”
So C would be the correct answer, even though A is highlighted.