ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 501 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 501
Topic #: 1
[All PCNSE Questions]

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.





What should the NAT rule destination zone be set to?

  • A. None
  • B. Inside
  • C. DMZ
  • D. Outside
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by kewokil120 at March 20, 2023, 2:25 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jhoncena
Highly Voted 2 years, 4 months ago
Answer should be D .. Outside to outside based on below : The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
upvoted 15 times
jhoncena
2 years, 4 months ago
I know both routing entries refer to Inside but the question is asking about the configuration part not the logical flow .. we need to configure outside > to > outside
upvoted 3 times
jhoncena
2 years, 4 months ago
No Inside should be correct : )
upvoted 6 times
...
...
...
Knowledge33
Highly Voted 2 years, 3 months ago
Selected Answer: D
The answer is D, not B guys. We don't care about the routing table. When a paccket arrive on the outside Interface, The PAN checks first if there is a DNAT configured for this trafic, and If the trafic is allowed. Then It can proceed with the forwarding lookup (Routing table). That's why we need Outside>Outside NAT. B is totally wrong. There is no NAT on the Inside zone. FOrget the Routing table. It doesn't matter.
upvoted 12 times
Knowledge33
2 years, 2 months ago
My bad. The response is B
upvoted 10 times
Eluis007
1 year, 4 months ago
A NAT rule is configured based on the zone associated with a pre-NAT IP address. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview
upvoted 4 times
scanossa
1 year ago
Answer is D, a NAT rule is configured based on the zone associated with a pre-NAT IP address
upvoted 1 times
...
...
...
laroux
2 years, 2 months ago
> The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
upvoted 1 times
...
...
network_enthusiast
Most Recent 3 weeks ago
Selected Answer: B
Answer is B
upvoted 1 times
...
mustfaozturknetworks
1 month, 3 weeks ago
Selected Answer: D
Certanly D.
upvoted 1 times
...
Redheidoo
3 months, 2 weeks ago
Selected Answer: D
Answer is D --> for destination NAT the Destination zone is always the same as the source zone
upvoted 1 times
...
DSBlue
5 months, 3 weeks ago
Selected Answer: B
It is B, the dest zone in the NAT rule must be that which the firewall has in its routing table for the pre-NAT dest address. I often check this with 'test routing fib-lookup vrouter vrname 1.1.1.1'
upvoted 1 times
...
Nkotrikadze
6 months, 1 week ago
Selected Answer: B
B is correct, tested in lab
upvoted 1 times
...
corpguy
6 months, 1 week ago
Selected Answer: B
The naming of the interfaces seems to be an attempt at a trick question.
upvoted 1 times
...
SCCUser
6 months, 4 weeks ago
Selected Answer: D
The destination zone in NAT rule is OUTSIDE, and the destination zone in security zone is INSIDE
upvoted 1 times
...
kewokil120
8 months ago
Selected Answer: D
Answer is D. Refer to https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping and the first image.
upvoted 2 times
...
Pretorian
8 months, 2 weeks ago
Selected Answer: D
D is correct - Original packet for DNAT is untrust to untrust for zone.
upvoted 1 times
...
corpguy
8 months, 3 weeks ago
Selected Answer: D
Should be the Untrust or outside zone to/from regardless of the routing table.
upvoted 1 times
...
362c603
10 months ago
Selected Answer: D
took and passed exam today. I answered Outside. DNAT Source and DST Zone should be PreNAT zone. I got few new questions that aren't here. If you at least study the concept and use this website as an extra study material, you should be good.
upvoted 2 times
...
Cosmonauta
10 months, 3 weeks ago
The correct answer should be B, first the packet could go through the firewall without nat, then the destination can be changed while it goes from false to internal, after nat the firewall knows the route to follow.
upvoted 1 times
...
thelittleyellowbirdie
12 months ago
this was in my exam 09/08/2024
upvoted 2 times
...
Bau24
1 year ago
Selected Answer: B
The pre-nat ip address is not on firewall itself and just routed to the inside network, so the Destination zone will be INSIDE
upvoted 2 times
...
Bau24
1 year ago
Selected Answer: B
B -Inside
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel