Module 6: NAT for IPv4

Question 1

What does NAT stand for?

Answer 1

Network Address Translation?

Question 2

What purpose does NAT have?

Answer 2

To allow networks to use private IPv4 addressess internally and providing translation to a public address only when needed.

Question 3

What is a NAT pool?

Answer 3

One or more valid public IPv4 addresses configured on a NAT-enabled router.

Question 4

Where does a NAT router typically operate?

Answer 4

Within the border of a stub network (a network with only one exit point to the internet)

Question 5

What happens when a device inside the stub network wants to communicate with a device outside of the stub network?

Answer 5

It’s packets are forwarded to the border router, which performs the NATprocess, translating the internal private address to a public outside routable address.

Question 6

What is the “Inside network” and what is the “Outside network”?

Answer 6

Inside Network = The private network subject to translation
Outside Network = All other networks

Question 7

What is a “Demarcation point”?

Answer 7

The point where the inside network becomes the outside network.

Question 8

What are meant by the acroynyms “SA” and “DA”?

Answer 8

Source Address and Destination Address

Question 9

What is the “Inside address”?

Answer 9

The address of the device which is being translated by NAT.

Question 10

What is the “Outside address”?

Answer 10

The address of the destination device.

Question 11

What is a “Local address”?

Answer 11

A local address is any address that appears on the inside portion of the network.

Question 12

What is a “Global address”?

Answer 12

A global address is any address that appears on the outside portion of the network.

Question 13

What four columns of addresses does NAT use?

Answer 13

1. Inside local address
2. Inside global address
3. Outside local address
4. Outside global address

Question 14

What is an “Inside local address”?

Answer 14

The address of the source as seen from inside the network.

Question 15

What is an “Inside global address”?

Answer 15

The address of the source as seen from outside the network.

Question 16

What is an “Outside global address”?

Answer 16

The address of the destination as seen from outside the network.

Question 17

What is an “Outside local address”?

Answer 17

The address of the destination as seen from inside the network.

Question 18

True or False?
The outside local and outside global address are translated.

Answer 18

False.
The outside local and outside global address is the destination (outside device) which is not typically translated because it is already a public IPv4 address.

Question 19

True or False?
The inside local address is translated to an inside global address.

Answer 19

True.
The private internal IP address is translated by the NAT router into a publically routable private ip address.

Question 20

A remote Web Server has an IP address of 209.165.201.10 what type of NAT address is this?

Answer 20

Outside Global

Question 21

A local PC1 has an IP address of 192.168.10.10 what type of NAT address is this?

Answer 21

Inside Local

Question 22

Local PC1 has had it’s IP address of 192.168.10.10 translated into 209.165.200.226 what type of NAT address is this?

Answer 22

Inside Global

Question 23

How does Static NAT map local and global addresses?

Answer 23

One-to-One Mapping, so that each local address has its own global address

Question 24

When is Static NAT typically used? Name some examples

Answer 24

For services that require a consistent address accessible from the internet, such as web servers, SSH access, VPN access.

Question 25

Why might you not want to (or be able to) use static NAT?

Answer 25

You might not have enough static global addresses to map them one-to-one for each local address

Question 26

How does Dynamic NAT map local and global addresses?

Answer 26

Using a NAT pool of global (public) IP addresses dynamically given out on a first-come first-served basis.

Question 27

Why is Dynamic NAT considered a legacy system that is not used in most real world scenarios?

Answer 27

The cost of public IP addresses, and the existance of PAT (Port Address Translation), make the need for randomly assigned inside global addresses redundant.

Question 28

What does PAT stand ford?

Answer 28

Port Address Translation

Question 29

What is another name for Port Address Translation?

Answer 29

NAT Overload

Question 30

How does PAT map local and global addresses?

Answer 30

Port Address Translation maps multiple private IP addresses to a single public IP address. It then differentiates the local devices by also assigning them a port number.

Question 31

Why, and how, does PAT assign port numbers?

Answer 31

It assigns a unique port number to each session (not each device). The source port is randomly generated and stored, so that on the return trip the destination port maps to the internal session that generated it.

Question 32

In what way does PAT add a level of security?

Answer 32

The port number used is randomly generated and must match the source port number that is stored. So incoming packets must be in response and match outgoing packets.

Question 33

Using PAT, what happens when a device tries to use a port number that has already been used by another session?

Answer 33

PAT attempts to preserve the original source port, but uses the ‘Next Available Port’ if it cannot.

So if PC1 sends a packet as 192.168.10.10:1445 and then PC2 tries to send a packet as 12.168:10.11:1445 then PC will actually use port :1446 instead.

Question 34

A device using PAT has had it’s port changed from :1445 to :1446 due to Next Available Port. What happens when the packet is received back from port :1446?

Answer 34

It gets changed back to port :1445 by the NAT router before being sent back to the source device.

Question 35

What is the difference between NAT and PAT?

Answer 35

NAT translates inside local addresses to unique inside global addresses, either one-to-one via static NAT or from a pool via dynamic NAT.

PAT instead translates inside local addresses to a single inside global address, using the port number to uniquely identifiy them.

Question 36

How does PAT translate packets without a Layer 4 Segment?

Answer 36

Packets without a TCP/UDP segment, such as an ICMPv4 echo request and replies, instead used a Query ID to uniquely identify each request with its corresponding reply.

Question 37

What are some advantages of NAT? (4)

Answer 37

• Conservation of public IP addressess by sharing them among devices.
• Multiple NAT pools can be used to provide redundancy or load-balancing to increase reliability.
• Ease of management because even if the public IP address of the network changes, clients do not need to be reconfigured.
• NAT hides the private IP addresses of the internal network (although experts agree NAT does not actually provide true security compared to a firewall).

Question 38

What are some disadvantages of NAT? (6)

Answer 38

• Complicates troubleshooting by hiding internal IPs.
• Breaks end-to-end IP connectivity.
• Some protocols (VoIP, FTP) may require special handling.
• Adds processing overhead that slightly impacts performance.
• Limits access to internal devices without port forwarding.
• NAT can cause issues with IPsec because NAT modifies the header values.

Question 39

True or False? A side effect of NAT is that it hides the inside local IP address of a host from the outside network.

Answer 39

True. NAT hides the IPv4 addresses of inside hosts from the outside network.

Question 40

True or False? With NAT overload, each inside local IP address is translated to a unique inside global IP address on a one-for-one basis.

Answer 40

False. NAT with overload (PAT) allows many internal hosts to share a single, or very few, public IPv4 addresses.

Question 41

True or False? The use of NAT makes end-to-end traceability between source and destination easier.

Answer 41

False. With NAT, end-to-end traceability is lost, making it more difficult to trace packets and to perform troubleshooting.

Question 42

True or False? Tunneling protocols such as IPsec do not work well through NAT.

Answer 42

True. NAT complicates the use of tunneling protocols, such as IPsec, because NAT modifies values in the headers, causing integrity checks to fail.

Question 43

What two steps are required when configuring static NAT?

Answer 43

1. Create the mapping between the inside local address and the inside global address.
2. Configure the interfaces participating in the translation as either inside or outside relative to NAT.

Question 44

What IOS command would be used to configure static NAT on the inside address 192.168.10.254 to the inside global address 209.165.201.5

Answer 44

ip nat inside source static 192.168.10.254 209.165.201.5

Question 45

What IOS commands would be used to:
* Enter configuration mode for interface Serial 0/1/0
* Configure the IP address and subnet mask 192.168.1.2 255.255.255.252
* Configure Serial 0/1/0 as inside of the NAT

Answer 45

interface serial 0/1/0
ip address 192.168.1.2 255.255.255.252
ip nat inside
exit

Question 46

What IOS commands would be used to:
* Enter configuration mode for interface Serial 0/1/1
* Configure the IP address and subnet mask 209.165.200.1 255.255.255.252
* Configure Serial 0/1/1 as inside of the NAT

Answer 46

interface serial 0/1/1
ip address 20.165.200.1 255.255.255.252
ip nat outside
exit

Question 47

What IOS commands could be used to verify a static NAT? (2)

Answer 47

show ip nat translations and show ip nat statistics

Statistics can be cleared with clear ip nat statistics

Question 48

What IOS command would be used to create a NAT pool called NAT-POOL1 from 209.165.200.226 to .240 with a subnet mask of 255.255.255.224 ?

Answer 48

ip nat pool NAT-POOL1 209.165.200.226 209.165.200.240 netmask 255.255.255.224

Question 49

What parameters are used to define an IP NAT pool?

Answer 49

Starting IPv4 address, ending IPv4 address, netmask or prefix-length

The netmask indicates which address bits belong to the network and which belong to the host.

Question 50

What is the command to configure a standard ACL for NAT?

Answer 50

access-list {access-list-number/name} permit {network-ip-address} {wildcard-mask}

This ACL permits addresses in the specified range for translation.

Question 51

What is the consequence of having an ACL that is too permissive?

Answer 51

It can lead to unpredictable results

Question 52

What statement is implicit at the end of each ACL?

Answer 52

Deny all

Question 53

What command binds an ACL to a NAT pool?

Answer 53

ip nat inside source list {access-list-number/name} pool {pool-name}

Question 54

What does binding the ACL to the pool accomplish?

Answer 54

Identifies which devices receive which NAT pool

Question 55

What command identifies interfaces as inside for NAT?

Answer 55

ip nat inside

Question 56

What command identifies interfaces as outside for NAT?

Answer 56

ip nat outside

Question 57

Fill in the blank: The command to define a NAT pool is _______.

Answer 57

ip nat pool {pool-name} {starting-ip} {ending-ip} netmask {subnet-mask}

Question 58

What IOS command can be used to verify dynamic NAT? (3)

Answer 58

show ip nat translations
show ip nat statistics
show run | include NAT

Question 59

What IOS command can be used to remove all dynamic NAT entries, before they have timed out?

Answer 59

clear ip nat translation *

Question 60

What is the default dynamic NAT entry timeout? How can it be changed?

Answer 60

24 hours.
ip nat translation timeout {timeout-seconds}

Question 61

What 4 steps are required to configure a single IPv4 PAT?

Answer 61

1. Configure an ACL of permitted hosts access-list {acl-number/name} permit {host-ip-addresses} {wildcard-mask}
2. Configure NAT with the overload keyword ip nat inside source list {acl-number/name} interface {interface} overload
3. Enter config mode for the inside interface(s) and then configure them ip nat inside
4. Repeat for the outside interface(s) ip nat outside

Question 62

What additional step is required when configuring PAT to use an address pool? How does the NAT configuration command change?

Answer 62

1. The NAT pool must be created `ip nat pool {pool-name} {start-address} {end-address} netmask {subnet-mask}
2. The command needs to reference the pool ip nat inside source list {acl-number/name} pool {pool-name} overload

Question 63

What is NAT64?

Answer 63

NAT64 is a network address translation method for providing access between IPv6-only and IPv4-only networks.

NAT64 is not used for private IPv6 to global IPv6 translation.

Question 64

What is the primary purpose of NAT for IPv6?

Answer 64

To provide transparent access between IPv6-only and IPv4-only networks.

This differs from NAT for IPv4, which has different use cases.

Question 65

What is the ideal scenario for IPv6 usage?

Answer 65

IPv6 should be run natively wherever possible.

This means IPv6 devices should communicate over IPv6 networks.

Question 66

What are the transition techniques developed by the IETF for moving from IPv4 to IPv6?

Answer 66

The transition techniques include:
* Dual-stack
* Tunneling
* Translation

These techniques accommodate various IPv4-to-IPv6 scenarios.

Question 67

What does dual-stack mean?

Answer 67

Dual-stack refers to devices running protocols associated with both IPv4 and IPv6.

This allows for communication over both types of networks.

Question 68

What is tunneling in the context of IPv6?

Answer 68

Tunneling is the process of encapsulating an IPv6 packet inside an IPv4 packet.

This enables the transmission of IPv6 packets over IPv4-only networks.

Question 69

Is NAT for IPv6 recommended as a long-term strategy?

Answer 69

No, NAT for IPv6 should not be used as a long-term strategy but as a temporary mechanism.

It assists in the migration from IPv4 to IPv6.

Question 70

What is NAT-PT and its current status?

Answer 70

NAT-PT (Network Address Translation-Protocol Translation) has been deprecated by IETF in favor of NAT64.

NAT-PT was an earlier method that is no longer recommended.

Question 71

What is NAT64 and its current status?

Answer 71

NAT64 allows for protocol translation between IPv4 and IPv6 and is currently the main method of doing so.

Question 72

A network administrator wants to examine the active NAT translations on a border router. Which command would perform the task?

Answer 72

R1# show ip nat translations

Question 73

What are two tasks to perform when configuring static NAT?

Answer 73

1. Create a mapping between the inside local and inside global addresses.
2. Identify the participating interfaces as inside or outside interfaces.

Question 74

What is a disadvantage of NAT?

Answer 74

It allows sites to connect IPv6 hosts to an IPv4 network by translating the IPv6 addresses to IPv4 addresses.

Question 75

What address translation is performed by static NAT?

Answer 75

An inside local address is translated to a specified inside global address.

Question 76

Using NAT terminology, what is the address of the source host on a private network as seen from inside the network?

Answer 76

Inside local

Question 77

Why is NAT not needed in IPv6?​

Answer 77

Any host or user can get a public IPv6 network address because the number of available IPv6 addresses is extremely large.​

Question 78

A company designs its network so that the PCs in the internal network are assigned IP addresses from DHCP servers, and the packets that are sent to the Internet are translated through a NAT-enabled router. What type of NAT enables the router to populate the translation table from a pool of unique public addresses, as the PCs send packets through the router to the Internet?

Answer 78

Dynamic NAT

Question 79

What is a security feature of using NAT on a network - although experts agree it is not true security?

Answer 79

Allows internal IP addresses to be concealed from external users

Question 80

When dynamic NAT without overloading is being used, what happens if seven users attempt to access a public server on the Internet when only six addresses are available in the NAT pool?

Answer 80

The request to the server for the seventh user fails.

Question 81

A company has been assigned the 203.0.113.0/27 block of IP addresses by the ISP. The company has over 6000 internal devices. What type of NAT would be most appropriate for the employee workstations of the company?

Answer 81

Dynamic NAT overload using the pool of addresses

Question 82

Which version of NAT allows many hosts inside a private network to simultaneously use a single inside global address for connecting to the Internet?

Answer 82

PAT

Question 83

What is a disadvantage when both sides of a communication use PAT?

Answer 83

End-to-end IPv4 traceability is lost.

Question 84

What 5 steps are taken when an internal host with IP address 192.168.10.10 attempts to send a packet to an external server 209.165.200.254 across router R1 running dynamic NAT?

Answer 84

1. The host sends packets that request a connection to the server address 209.165.200.254
2. R1 checks the NAT configuration to determine if the packet should be translated.
3. If there are no translation entries for this IP, R1 determines it should translate the source address 192.168.10.10
4. R1 selects an available global address from the dynamic address pool
5. R1 replaces the 192.168.10.10 address with a translated inside global address

Question 85

What two addresses are specified in a static NAT configuration?

Answer 85

Inside local address and inside global address

Question 86

In NAT terms, what address type refers to the globally routable IPv4 address of a destination host on the Internet?

Answer 86

Outside global

Question 87

Based on the output that is shown, what type of NAT has been implemented?

Answer 87

PAT using an external interface

Question 88

What is the purpose of the overload keyword in the ip nat inside source list 1 pool NAT_POOL overload command?

Answer 88

It allows many inside hosts to share one or a few inside global addresses.

Question 89

What does NAT overloading use to track multiple internal hosts that use one inside global address?

Answer 89

Port Numbers

Question 90

What type of address is 192.168.7.98?

Answer 90

Private