Exam PCNSE topic 1 question 501 discussion

Answer should be D .. Outside to outside based on below : The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

The answer is D, not B guys. We don't care about the routing table. When a paccket arrive on the outside Interface, The PAN checks first if there is a DNAT configured for this trafic, and If the trafic is allowed. Then It can proceed with the forwarding lookup (Routing table). That's why we need Outside>Outside NAT. B is totally wrong. There is no NAT on the Inside zone. FOrget the Routing table. It doesn't matter.

Answer is D --> for destination NAT the Destination zone is always the same as the source zone

It is B, the dest zone in the NAT rule must be that which the firewall has in its routing table for the pre-NAT dest address. I often check this with 'test routing fib-lookup vrouter vrname 1.1.1.1'

B is correct, tested in lab

The naming of the interfaces seems to be an attempt at a trick question.

The destination zone in NAT rule is OUTSIDE, and the destination zone in security zone is INSIDE

Answer is D. Refer to https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping and the first image.

D is correct - Original packet for DNAT is untrust to untrust for zone.

Should be the Untrust or outside zone to/from regardless of the routing table.

took and passed exam today. I answered Outside. DNAT Source and DST Zone should be PreNAT zone. I got few new questions that aren't here. If you at least study the concept and use this website as an extra study material, you should be good.

The correct answer should be B, first the packet could go through the firewall without nat, then the destination can be changed while it goes from false to internal, after nat the firewall knows the route to follow.

this was in my exam 09/08/2024

The pre-nat ip address is not on firewall itself and just routed to the inside network, so the Destination zone will be INSIDE

B -Inside

This question was on my exam on July 23rd, 2024

Pre-NAT IP is 153.6.12.10 Post-NAT zone is the one found after routing lookup which is "inside" --> next-hop for 192.168.10.0/24 is set to 192.168.1.2 (Eth1/2) which is in the inside zone.