Exam PCNSE All QuestionsBrowse all questions from this exam
Go to Exam
Question 501

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?

    Correct Answer: B

    The destination zone in a NAT rule should be associated with where the packet is ultimately routed after the NAT translation is applied. Given that the pre-NAT IP address '153.6.12.10' resolves the route to interface 'ethernet1/2', which is linked to the 'Inside' security zone in the routing table, the destination zone should be set to 'Inside'. The NAT rules are configured based on the zone associated with the pre-NAT IP address as this aligns with the internal routing and firewall configuration.

Discussion

17 comments
jhoncenaOption: D
Apr 10, 2023

Answer should be D .. Outside to outside based on below : The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

jhoncena
Apr 10, 2023

I know both routing entries refer to Inside but the question is asking about the configuration part not the logical flow .. we need to configure outside > to > outside

jhoncena
Apr 10, 2023

No Inside should be correct : )

netsof
Jun 13, 2023

Good thinking you are correct, but check again the Routing table...

Knowledge33Option: D
May 14, 2023

The answer is D, not B guys. We don't care about the routing table. When a paccket arrive on the outside Interface, The PAN checks first if there is a DNAT configured for this trafic, and If the trafic is allowed. Then It can proceed with the forwarding lookup (Routing table). That's why we need Outside>Outside NAT. B is totally wrong. There is no NAT on the Inside zone. FOrget the Routing table. It doesn't matter.

laroux
May 18, 2023

> The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

Knowledge33
Jun 8, 2023

My bad. The response is B

Eluis007
Apr 9, 2024

A NAT rule is configured based on the zone associated with a pre-NAT IP address. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview

scanossa
Jul 18, 2024

Answer is D, a NAT rule is configured based on the zone associated with a pre-NAT IP address

hcirOption: B
Mar 18, 2024

I just tested it in the lab, and the answer is B. Inside. NAT uses the pre-NAT zone. The Zone is determined by the route lookup which for the destination IP is "inside".

Icke1973Option: B
Apr 16, 2024

net 153.6.12.0/27 will be routed to inside and is not an outside ip.

PachecoOption: D
Feb 7, 2024

Answer is D, but I get why some people are saying B, since DNAT is one of the trickiest things to get right in PAN fws. It's just a matter of knowing and remembering the NAT formula, so let me explain: Everyone voting for B is correct in that the final destination zone for the traffic is going to be inside, but that's not the question here; the question is "what should the NAT rule dest zone be set to?", basically, "what should you use as the dest zone for your NAT rule?", so they're just throwing routing in there to throw you off, because for this question routing doesn't even matter because it will happen ***after*** NAT policy lookup. If you have ever configured NAT for public access to your website, for example, you know usually source and dest zones for DNAT are the same in PAN (outside to outside); routing will take care of sending the packet to it's real destination after NAT policy is evaluated.

Pacheco
Feb 7, 2024

From this link (that shows you an image of the actual policy): https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping "The firewall receives the ARP request packet for destination 192.0.2.100 on the Ethernet1/1 interface and processes the request. The firewall responds to the ARP request with its own MAC address because of the destination NAT rule configured. The NAT rules are evaluated for a match. For the destination IP address to be translated, a destination NAT rule from zone Untrust-L3 to zone Untrust-L3 must be created to translate the destination IP of 192.0.2.100 to 10.1.1.100. After determining the translated address, the firewall performs a route lookup for destination 10.1.1.100 to determine the egress interface. In this example, the egress interface is Ethernet1/2 in zone DMZ."

Pacheco
Feb 7, 2024

And if you're worried about the fact that outside is not the real dest zone, remember the "formula" for configuring DNAT on PAN is: NAT rule: pre-NAT IPs + pre-NAT zones Sec rule: pre-NAT source zones + pre-NAT source and dest IP + post-NAT zone (yes, it doesn't make sense on paper to use the "real" dest zone for the sec rule with a pre-nat IP, but that's just how PAN does it. You can confirm this with the link above). Since the secpol is going to be evaluated after NAT and route lookup, using the pre-NAT source zone and post-NAT dest zone for the sec rule is going to take care of the correct routing and allowing of the packet. If you have ever taken the Firewall Essentials class, check your student manual for the destination NAT section. Answer is D.

lempsip
Jun 10, 2024

Pre NAT zone is inside not outside

scanossa
Jul 18, 2024

why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too

cloudconnectOption: D
Mar 4, 2024

The webserver having this 153.6.12.10 address that appears to be reachable through eth1/2 on the inside zone is a U-NAT situation - where internal users need to access a server using the server's external public IP instead of its private IP address. But, it doesn't mean that the internet users are accessing the network through eth1/2 on the firewall, as shown in route table.

0d2fdfaOption: D
May 29, 2024

outside to outside. always remember No Zone change for NAT. For Security Policy Pre NAT IP and POST NAT Zone.

MarshpillowzOption: B
Feb 4, 2024

I think B

JRKhanOption: B
Jan 18, 2024

Both the pre and post nat addresses are in the inside zone so the destination zone in the nat policy will be Inside as well.

MetgatzOption: B
Dec 22, 2023

Public IP is Eth 1/2 which is Inside Zone - Option B inside

Andromeda1800Option: B
Dec 14, 2023

In my opinion B is correct.

ItVikOption: B
Nov 28, 2023

Inside as Public IP is Eth 1/2 which is Inside Zone.

ATRRHMNOption: B
Jul 14, 2024

Pre-NAT IP is 153.6.12.10 Post-NAT zone is the one found after routing lookup which is "inside" --> next-hop for 192.168.10.0/24 is set to 192.168.1.2 (Eth1/2) which is in the inside zone.

scanossaOption: B
Jul 3, 2024

Pre-destination IP is also in the Inside zone, check the routing table, it is a tricky question

scanossaOption: D
Mar 1, 2024

The original connection comes from Outside to Outside. When it translates it to a different destination IP address, you do not specify any zone at all

omgt2k2Option: B
Jan 24, 2024

The routing table shows that the destination network lives on the "inside" zone and not the "outside". look at this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGZCA0

MetgatzOption: B
Dec 22, 2023

Public IP is Eth 1/2 which is Inside Zone - Option B inside