Nat Sim
Question
A network associate is configuring a router for the TUT company to provide internet access. The ISP has provided the company six public IP addresses of 198.18.184.105 198.18.184.110. The company has 14 hosts that need to access the internet simultaneously. The hosts in the company LAN have been assigned private space addresses in the range of 192.168.100.17 β 192.168.100.30.
|
The following have already been configured on the routerοΌ – The basic router configuration |
Tasks:
+ Use NAT to provide Internet access to all hosts in the company LAN.
+ Name the router TUT
+ Inside global addresses: 198.18.184.105 198.18.184.110/29
+ Inside local addresses: 192.168.100.17 – 192.168.100.30/28
+ Numer of inside hosts: 14
Solution:
Note: If you are not sure about NAT or Access list, my read my NAT tutorial and Access-list tutorial.
The company has 14 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.184.105 to 198.18.184.110/29. Therefore we have to use NAT overload (or PAT) Double click on the Weaver router to open it
Router>enable
Router#configure terminal
First you should change the router’s name to TUT
Router(config)#hostname TUT
Create a NAT pool of global addresses to be allocated with their subnet mask.
TUT(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248
Create a standard access control list that permits the addresses that are to be translated
TUT(config)#access-list 1 permit 192.168.100.16 0.0.0.15
Establish dynamic source translation, specifying the access list that was defined in the prior step
TUT(config)#ip nat inside source list 1 pool mypool overload
This command translates all source addresses that pass access list 1, which means a source address from 192.168.100.17 to 192.168.100.30, into an address from the pool named mypool (the pool contains addresses from 198.18.184.105 to 198.18.184.110).
Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports.
The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements. This is how to configure the NAT inside and NAT outside, just for your understanding:
TUT(config)#interface fa0/0
TUT(config-if)#ip nat inside
TUT(config-if)#exit
TUT(config)#interface s0/0
TUT(config-if)#ip nat outside
TUT(config-if)#end
Finally, we should save all your work with the following command:
TUT#copy running-config startup-config
Check your configuration by going to “Host for testing” and type:
C:\>ping 192.0.2.114
The ping should work well and you will be replied from 192.0.2.114
You can download this sim and practice with Packet Tracer here: http://www.9tut.com/download/9tut.com_CCNA_NAT_sim_question.zip
(Notice: you can find other NAT Sim Question here)
Other lab-sims in ICND2 Exam:
ICND 2 – OSPF Sim
VTP SIM (on 9tut.com)
EIGRP Lab sim (on 9tut.com)
Other lab-sims might appear in the real ICND 2 exam, read and understand them if you have enough time!
@9tut,
just additional question?
why would you configure overload if the you have a pool of 198.18.184.105 to 198.18.184.110 ip’s?
on my config above I use only dynamic nat. please validate guys I need your opinions.
Our pool only has 6 public IP addresses (from 198.18.184.105 to 198.18.184.110) but “the company has 14 hosts that need to access the internet simultaneously”. Therefore the only solution here is to use PAT (NAT overload).
If you use your above configuration, only 6 hosts can access the internet simultaneously.
In the real life, you can use prefix-length keyword but there were reports from CCNA candidates that the “prefix-length” keyword didn’t work, so you should use keyword “netmask” instead.
Okay, I think I got it.
1. If you have an inside pool that is smaller or equal to your outside pool, you don’t need overload.
2. if you have an outside pool of more than one address that is smaller than your inside pool than you need overload and you will need to define a pool and assign the acl to the pool name like above.
3. if you only have 1 outside ip address you still need overload but you do not need to name a pool and you would assign your acl to the interface.
I believe that is correct.
Help, why I got this message in Packet Tracert in Router configuration:
Router(config)#ip nat pool mypool 198.18.184.105 192.18.184.110 netmask 255.255.255.248
%Pool mypool mask 255.255.255.248 too small; should be at least 0.0.0.0
%Start and end addresses on different subnets
Router(config)#
I check and netmask is OK and these 2 IP address are in the SAME network.
Heji – On the first line, check the first octets again. both should match.
….Often I make the same typo as i’m so used to typing 192….
How to summarize or make wildcard mask for this?
192.168.100.17 β 192.168.100.30
Above example says its 0.0.0.15
How do we calculate that thing?
Please tell mee
aaa:
first of all you have to know how wildcard mask works. its just changing the 0s into 1s and 1s into 0s of the subnet mask. so in the sim the subnet mask is 192.168.100.17 β 192.168.100.30/28 which means 11111111.11111111.11111111.11110000
calculate the 1s=128+64+32+16+8+4+2+1=255 so it becomes 255.255.255.
the 1s in the last octate are 1111=128+64+32+16=240
and the remaining 0s are 8+4+2+1=15. So now you have to make the 1s into zero and zero’s into 1. Here how it goes
11111111.11111111.11111111.11110000
00000000.00000000.00000000.00001111
0.0.0.15 -count the last 4 1s which becomes 8+4+2+1=15.
Hope you understand this.
Thanks
Well it’s not an inside pool that refers to private IP addresses that are being translaed but rather an access list specifiying the private IP addresses that are being permitted.
The only pool that was created can be seen in the CLI statement where it shows “mypool” after ip nat pool.
I want to know if there are configurations for the ISP router to assign public IP to the NAT router.i need ur help.Thanks
No, you are not allowed to configure the ISP router.
i have a VPN like this one above,so i was asking to help me with configurations of that router you called “ISP”.Thanks
hi .. shouldn the net mask be 255.255.255.240? … i read that the assigned global addresses (here 198.18.184.105 to 198.18.184.110) should fall under the specific mask range… it would be a conflict if we use /29 right??? /28 will get those addresses within the range …
This example is not using PAT rather dynamic NAT with overload capabilities. When using PAT the following command is used
ip nat source list *access list* interface *inside global* overload
if the source list command is using a pool of addresses then its dynamic NAT with overload
Hey Pav,
When we are defining the pool of address to use we use the following format.
ip nat pool *name* *start ip* *end ip* netmask *ip range*
The netmask command is simply checking that we have used the correct ranges in the start and end ip commands.
Using a netmask of /29 gives an increment of 8 which covers our range of 6 addresses. using a /30 is too small with only 4 in the range and a /28 would give us too many with a range of 16.
I have some photozz from my exam.I can mail to human which post
it to this site.
Sorry for my poor English slavian2004@bk.ru
Just passed the icnd 2 !
Although this site is great for practise exams I dint have any of the material from here in the actual exam.
Thanks 9tut !
got it.. thanks inviz!!! congrats for passin ccna:)
hey inviz,
May i know the resources u used ??
thankss
Took test today 9/6 not on there only had VTP lab sim.
The Q says the nat inside and nat outside have been configured. Is it necessary to int fa0/0,
ip nat inside and int s0/0, ip nat outside? Thanks.
You don’t need to configure nat inside and nat outside!
will these question alone be enough for practicing????
@9tut
I see your ccna website is suspended ,everytime it shows this website as account suspended.what happened to this site?
What`is going on ? ccna website down??
Is the NAT sim part of the ICND1 exam
@ross102865
No.. NAT SIM is only for ICND2
hello Guys,
I am facing one prblm in connecting the the weaver router to ISP router, I configured the router and switch on packet tracer but when I am pinging from the test PC, I cant connect to the ISP router. I gave the default ip gateway as the 192.0.2.113 for the switch. Still I cant ping to the serial interface…
Thanks
You should give the switch the default gateway of 192.168.100.30
And for you to ping the ISP successfuly you should configure a static route
Regards
This is good practice, but the problems here are a bit out of date, i took ICND2 yesturday and none of the problems on here where on the test. The questions are totally different. all I can say is study study study.
Is this OSPF sim on ICND 1 exam??
i created this sim in packet tracer and the remote isp router (192.0.2.114) cannot be pringed from the LAN when NAT overload is configured but can be pinged when PAT is configured!!
sh ip nat trans show the attempt to translate inside locals to inside globals but the ping will not reply with NAT overload! tried configuring static routes and rip but still dosnt work!
Any suggestions please?
@9Tut,
Once again thank you for this site and contributions!
I am happy with the sim (i.e. I understand the how to successfully configure NAT / PAT) However, I am encountering the same issue – I able to see a NAT translation but I do not receive a reply from the ping. The request simply timeout with 100% packet loss
I have tried to TSHOOT this myself as far as I can but unable to decipher the issue
Any feedback would be greatly appreciated
p.s. I have configured the “ip nat inside” and ip nat outside” on the correct interfaces
TheSnake,
The reason that you are unable to a recieve a reply to your ping is that there is no route from the ISP back to the host your are pinging from becuase there is no routing protocol configured.
Try creating a static route on the ISP router (ie: ip route 192.135.100.0 255.255.255.0 Serial0/1) so that the ICMP packet knows where to return to ping reply.
worked for me..
@CSStudent
ip route 192.135.100.0 255.255.255.0 Serial0/1
That will add a route to the local address. Did not work for me.
I’ve set up this route, and worked great for me.
ISP(config)#ip route 198.18.184.104 255.255.255.248 192.0.2.113
Giving the ISP the route back using the public addresses.
Hi i’m having my exam this Friday….hope this will help…. orrrr i’ll kill someone π
Hi everyone
I need to run these lab questions on packet tracer please help me where are the sources?
im sitting in two weeks tiime pls help me on ICDN1 & ICDN2 (Important notes needed thanks advance
Hi,
I need help here. How did we get this:
Weaver(config)#access-list 1 permit 192.168.100.16 0.0.0.15
I think it should be:
Weaver(config)#access-list 1 permit 192.168.100.17 0.0.0.15
Thanks in advance
a wild card is something like the reverse of the subnet
the subnet used for that address range was 255.255.255.240 (it gives you 16 IPs, 1 is the subnet address, 1 is the broadcast address)
0.0.0.15 covers 16 IPs (count 0.0.0.0 too). it covers the subnet address, 14 possible hosts and the broadcast address.
the range must start at the block size multiplier. the block size number is 16 so the starting number is 0, 16, 32, 48… in our case is 16
long story short:
192.168.100.16 0.0.0.15 covers for the entire subnet that starts at 192.168.10.16 and has a subnet mask of 255.255.255.240
i hope someone can understand something out of it… wildcard masks are the reverse of subnet masks, that’s the most important
This excercise was in my exam today. 933/1000. π
Thanks a lot!!
just gotta love all these lazy bums that come on here and post asking for people to send them stuff and teach them.
get off your lazy butt and learn!!!! all that you need is here. jerk-offs!! no one wants to take time out of their busy day to help someone who wont even get on this website and read what is already helping other people do just fine.
@xallax
you are overcomplicating wild cards
all you do is subtract the subnet mask from 255.255.255.255 (courtesy of wendell odom)
255.255.255.255
-255.255.255.240
0. 0. 0. 15
was trying to explain why that wild card was used. anyways, thanks for the simple way of doing it. cheers
np man… i just wanted to help brotha!! π
ill even help out a little more… when i was in school my teacher gave us a subnetting chart. it is so awesome that i even made one to put in my wallet and on my wall at home lol… this thing rocks man and can help you subnet like a biotch!!
____128 64 32 16 8 4 2 1
____128 192 224 240 248 252 254 255
2nd /9 /10 /11 /12 /13 /14 /15 /16
3rd /17 /18 /19 /20 /21 /22 /23 /24
4th /25 /26 /27 /28 /29 /30
the 2nd, 3rd and 4th writing on the left represents the octets… if you make a chart of this write 2^7 above the first 128 and above 64 write 2^6 and so on down to 2^0 over one. this will represent the bits borrowed when you are subnetting. memorizing this chart is the fastest way to subnet i have seen. it totally avoids having to calculate binary which takes forever unless you play the binary game like a madman.
____128___ 64_____ 32_____ 16_____ 8_____ 4_____ 2_____ 1
____128__ _192____ 224____ 240___ 248___ 252___ 254___ 255
2nd _/9____ /10 ____/11_____ /12___ /13___ /14____ /15___ /16
3rd _/17___ /18____ /19_____ /20____ /21___ /22____ /23___ /24
4th _/25___ /26____ /27_____ /28____ /29___ /30
should look more like this only ignore the underscores… the numbers should basically be like columns 128, 128 /9 /17 /25 should be column one basically
Check out http://j.mp/ciscoebooks
Hey guys,
I cant seem to get this working….it seems like I have the same configuration as the solution but it doesnt work when I try the ping! Any ideas?
For access-list 1, why couldn’t we use 192.168.100.0 0.0.0.255?
Using 0.0.0.255 may block the testing computer as well depanding upon the ip address stored on the computer and one more thing they asked us to block specifically so ans specifically will be better.. π
sorry it wont block the testing machine.. π
so i guess its better to be precise.. why permit extra computers..! when they ask you to allow only 15.. by putting 0.0.0.255 will allow other computers as well..
well the objective will be completed by answering 0.0.0.255 but they may reduce points for not being precice..
AGAIN NOTHING WRONG IN PUTTING 0.0.0.255
this pops up in an ICND1 ebook i have!! some people are saying NAT is only for CCNA and others say it comes up in CCENT…anyone have any concrete info please?
@helblzer
NAT is for ICND2 or CCNA
additional question http://www.9tut.com is not working.why????
@zenith:Which topic in 9tut.com is not working?
@9tut
sorry I’s my fault.thanks for the quick responce .
Hi! Guyz, just want to ask this I’m using a 5.3 ver of packet tracer and I have created a network and apply NAT to it, I already configure all the necessary things like ip address and used dynamic routing protocol such as eigrp, and it work wel (by the way, on my network was consist of two LAN with router on each and that two router was connected via serial cable)l. And to reassure the this network work very well ping all of the client and server both ends and its ok. then i start to apply NAT to the network, I configured the following:
router(config)#ip nat pool testpool 200.1.1.1 200.1.1.2 netmask 255.255.255.252
router(config)#accesslist 1 permit 192.168.10.0 0.0.0.255
router(config)#ip nat inside source list 1 pool testpool
then I configure also the interfaces: s0/0/0 configure with “ip nat outside” then fa0/0 with “ip nat inside”
after that for the 192.168.10.0 network I can’t ping the server Network anymore, but on the other 192.168.20.0 net which is connected on same router with 192.168.10.0 net can ping the server LAN, and I use “show ip nat translation” I could I see the translation occur. please help me guys im very very confuse cause i already change this topology to a more simplier one but still end up with this kind of problem….thnx in advance
@confusion: Please upload your pkt file on http://certprepare.com/forum we will help you!
@9tut Ok i will thnx
@9tut, i already figure it out… NAT only passes thru default route cause all the while i was configuring a dynamic routing thru both routers i guess my clumsiness over think that i just remember that NAT only uses thru the outside network…. but thanks anyway…
confusion, ip nat pool testpool 200.1.1.1 200.1.1.2 netmask 255.255.255.252
does not work! Packet will goes with IP and netmask from pool and never succeeded.
Host pool from mask must be higher than difference between first & last host from pool.
Destination host must be reachable by the way.
I just passed my ccna today, thanks the sim labs helped a lot. I had eigrp, vlan and acl. Make sure to took at interface assignment on the switch. Thaxs
interface Loopback0
ip address 1.1.1.5 255.255.255.255
!
interface Serial0/0
ip address 192.168.234.2 255.255.255.0
encapsulation frame-relay
frame-relay map ip 192.168.234.3 203 broadcast
frame-relay map ip 192.168.234.4 204 broadcast
frame-relay map ip 192.168.234.5 205 broadcast
!
router ospf 1
router-id 1.1.1.5
network 0.0.0.0 255.255.255.255 area 0
neighbor 192.168.234.3
neighbor 192.168.234.4
neighbor 192.168.234.5
!
I don’t get it..
According to the picture The Weaver Router has an IP Address S0/0 192.0.2.113 and the ISPs` address S0/1 192.0.2.113.
The task states “The ISP has provided the company six public IP addresses of 198.18.184.105 198.18.184.110”.
How can we configure different public IP addresses from the S0/0 interface on the weaver router?
It is my understanding that the public addresses should be at least from the same range as the outbound interface (in the sim lab in our case that is the S0/0 of the Weaver router)?
OK, i got it π
I just rebuild the same topology in packet tracer, and it didn’t worked at first, but then this problem can be solved by just adding a static route on the ISP router for the translated IP addresses:
ISP(config)#ip route 198.18.184.104 255.255.255.248 Se0/1
Thanks 9tut for the great examples and tutorials here π
@ xallas, is it not you should overload only single public ip address or a dynamic NAT without overload clause. Please explain me !
@gyan
im sure this will clear up all your questions π
http://www.9tut.com/network-address-translation-nat-tutorial
Did not have this sim on my exam today, but one must be prepare to challenge should it is on the exam.
Can someone please email me ICND1 latest dump my id is mihirjmodi@yahoo.com.au I got a exam on Tuesday. thanks in Advanced:)
How to get the subnet mask for these ranges
192.168.100.17 β 192.168.100.30
198.18.184.105 – 198.18.184.110
How do we calculate to get the subnet mask coz i don’t see them given above
Please help!!!!!!!!!!!!!!
iam so dump guys, its there i just didn’t read carefully. This is why most fail exams, cant see wats in front of us.
concentration help guys. Pay attention to detail is key to passing.
@lazanya
192.168.100.17 β 192.168.100.30
i assume those are the usable IPs.
it should start at .16, should end at .31
the increment is obviously 16
the subnet mask is 255.255.255.240
198.18.184.105 β 198.18.184.110
starts at .104, ends at .111
the increment is 8
the subnet mask is 255.255.255.248
Can someone please mail me the latest dump prathikpankaj@yahoo.com
Thanks
Thanks 9TUT i passed in the ICND-2 with score 986!!!!!!
I need latest dumps for icnd-2,I will appriciate you.if u can sent me.waheed53@yahoo.com.
I wan’t to give this exam b4 10 july 2012
can sumbody please help with this question: 192.168.1.0/24 4 subnets to support 60 hosts
Can anyone explain why the command below says INSIDE instead of OUTSIDE?
Weaver(config)#ip nat inside source list 1 pool mypool overload
Anonymous, answer is 4 subents, all with 255.255.255.192 as subnet mask
The four network addresses would be as follows allowing 62 useable hosts per subnet:
192.168.1.0-63
192.168.1.64-127
192.168.1.128-191
192.168.1.192-255
Hi Joe! I’m also studying ICND2 now and will take the exam this Friday. For your question my understanding is that you need a pool of addresses on the serial link subnet that the router Weaver can use. That is, the IP addresses in the company LAN that the access list 1 permit to translate.
I took ICND2 today. Had VTP sim and Frame relay. The VTP sim said to use the first available IP. The first USABLE was for the DG and the second USABLE was on the fist switch. I’m guessing by the first available they mean the third usable? because the first two weren’t actually AVAILABLE. I spent 20 min trying to figure out what they meant. I passed 944!!!!
hello!
any one let know how many sim are the exam
I had 3 sim and 3 drag and drops.
guys plz help
i dont undrstnd this format (for e.g 192.168.1.12/24)
what is /24 here? is ds the subnet mask or default gateway?
thanks in advance
Can someone please email me the latest dump!!! Does anyone have the frame relay sim???
ndmckown@yahoo.com
at jazz if you dont know what /24 is then you are not ready for the exam… it means 255.255.255.0
Can someone tell me where to get the latest dumps for ICND2? Thanks!
@Jazz /24 is the prefix for 255.255.255.0 since all the bits in the first 3 octets are set to ‘1’ that makes it 24(8X3).
If you don’t know this and you are here at the ICND2 level I strongly advice you to review ICND1 chapter on IP addressing..
NAT just blows my mind, I tried do this sim in Packet tracer everything worked like a breeze..
I was just wondering how did Cisco, in the exam, managed to keep the 192.168.100.16 hosts from pinging ISP router?? has this occured to anybody too?
(BTW the concept of private and public IP addresses doesn’t work here, I mean you can get 192.168.100.16 hosts to ping the ISP router eventhough it has a public IP, if you have static router routes in place)
because in the real world the ISP will certainly block any private address from getting routed to the Internet, but no matter how hard you try you can’t simulate the internet in a simulator…..
So then how did Cisco can actually simulate this??
Here are my thoughts, one of two ways.
1.The ISP router doesn’t have a route for the 192.168.100.16 network.
or
2.They have applied an access-list on the outbound direction of Weaver S0/0 or Inbound of ISP S0/1 to block the addresses that come from 192.168.100.16 space…
This blew my mind when I thought about it… ACL and NAT would have to be the best Networking technologies out there
Taking ICND2 this weekend – Are there no WAN or Wireless questions on ICND2 since they were covered in ICND1, or do I still need to be prepared for those as well?
This was not on my exam yesterday. Note i had 3 IPv6 questions ie determine which are valid not so simple as just recognizing double colons either.
how to figure out the the subnet mask for public address when one is not given? I have seen another question in where it does not specify a subnet mask for the public address.
Charles… Use the subnet mask of the NAT outside interface if no subnet mask is specified.
For this problem, I believe something is missing: a default route.
ip route 0.0.0.0 0.0.0.0 192.0.2.114
is there a lab simulation for this on 9tut ( i mean as a packet tracer file or something ) ?
Thanks
Hi , I tried creating this lab in the packet tracer , but i am not able to ping from the “host for testing”- it says request timed out-
I have read the comments and someone had advised to use a static route on the ISP route- i gave the command
ip route 192.18.184.104 255.255.255.248 serial 0/0/1
but still am unable to ping π Any help 9tut ?
@ 9tut- in the exam – the points are given only if the ping is successfull? or even without the ping being unsuccesfull ?
Can u provide a lab simulation for this question pls . I have an exam in 3 days
@ no name- even i think that a default route to 192.0.2.114 should exist- 9tut ,any comments on this ?
ip route 0.0.0.0 0.0.0.0 192.0.2.114
that is how it wil ping the ip 192.0.2.114.
have a doubt :in the Last step in the SIM- :
shouldnt to verify , the host should use a ping to any of the public ip address , in the pool 198.18.184.105 to 198.18.184.110.????
@creative me and no name
Default route is required for corporate networks’ internal routers.
It is not required on the router where NAT is applied.
However a static route may be implemented on the ISP router or the use of BGP both of which are not in the scope of CCNA.
@creative me: the points are given only if the ping is successful.