Exam PCNSE All QuestionsBrowse all questions from this exam
Go to Exam
Question 501

A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.

What should the NAT rule destination zone be set to?

    Correct Answer: B

    The destination zone in a NAT rule should be associated with where the packet is ultimately routed after the NAT translation is applied. Given that the pre-NAT IP address '153.6.12.10' resolves the route to interface 'ethernet1/2', which is linked to the 'Inside' security zone in the routing table, the destination zone should be set to 'Inside'. The NAT rules are configured based on the zone associated with the pre-NAT IP address as this aligns with the internal routing and firewall configuration.

Discussion
jhoncenaOption: D

Answer should be D .. Outside to outside based on below : The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

jhoncena

I know both routing entries refer to Inside but the question is asking about the configuration part not the logical flow .. we need to configure outside > to > outside

jhoncena

No Inside should be correct : )

netsof

Good thinking you are correct, but check again the Routing table...

Knowledge33Option: D

The answer is D, not B guys. We don't care about the routing table. When a paccket arrive on the outside Interface, The PAN checks first if there is a DNAT configured for this trafic, and If the trafic is allowed. Then It can proceed with the forwarding lookup (Routing table). That's why we need Outside>Outside NAT. B is totally wrong. There is no NAT on the Inside zone. FOrget the Routing table. It doesn't matter.

laroux

> The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

Knowledge33

My bad. The response is B

Eluis007

A NAT rule is configured based on the zone associated with a pre-NAT IP address. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview

scanossa

Answer is D, a NAT rule is configured based on the zone associated with a pre-NAT IP address

hcirOption: B

I just tested it in the lab, and the answer is B. Inside. NAT uses the pre-NAT zone. The Zone is determined by the route lookup which for the destination IP is "inside".

Icke1973Option: B

net 153.6.12.0/27 will be routed to inside and is not an outside ip.

PachecoOption: D

Answer is D, but I get why some people are saying B, since DNAT is one of the trickiest things to get right in PAN fws. It's just a matter of knowing and remembering the NAT formula, so let me explain: Everyone voting for B is correct in that the final destination zone for the traffic is going to be inside, but that's not the question here; the question is "what should the NAT rule dest zone be set to?", basically, "what should you use as the dest zone for your NAT rule?", so they're just throwing routing in there to throw you off, because for this question routing doesn't even matter because it will happen ***after*** NAT policy lookup. If you have ever configured NAT for public access to your website, for example, you know usually source and dest zones for DNAT are the same in PAN (outside to outside); routing will take care of sending the packet to it's real destination after NAT policy is evaluated.

Pacheco

From this link (that shows you an image of the actual policy): https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping "The firewall receives the ARP request packet for destination 192.0.2.100 on the Ethernet1/1 interface and processes the request. The firewall responds to the ARP request with its own MAC address because of the destination NAT rule configured. The NAT rules are evaluated for a match. For the destination IP address to be translated, a destination NAT rule from zone Untrust-L3 to zone Untrust-L3 must be created to translate the destination IP of 192.0.2.100 to 10.1.1.100. After determining the translated address, the firewall performs a route lookup for destination 10.1.1.100 to determine the egress interface. In this example, the egress interface is Ethernet1/2 in zone DMZ."

Pacheco

And if you're worried about the fact that outside is not the real dest zone, remember the "formula" for configuring DNAT on PAN is: NAT rule: pre-NAT IPs + pre-NAT zones Sec rule: pre-NAT source zones + pre-NAT source and dest IP + post-NAT zone (yes, it doesn't make sense on paper to use the "real" dest zone for the sec rule with a pre-nat IP, but that's just how PAN does it. You can confirm this with the link above). Since the secpol is going to be evaluated after NAT and route lookup, using the pre-NAT source zone and post-NAT dest zone for the sec rule is going to take care of the correct routing and allowing of the packet. If you have ever taken the Firewall Essentials class, check your student manual for the destination NAT section. Answer is D.

lempsip

Pre NAT zone is inside not outside

scanossa

why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too

cloudconnectOption: D

The webserver having this 153.6.12.10 address that appears to be reachable through eth1/2 on the inside zone is a U-NAT situation - where internal users need to access a server using the server's external public IP instead of its private IP address. But, it doesn't mean that the internet users are accessing the network through eth1/2 on the firewall, as shown in route table.

0d2fdfaOption: D

outside to outside. always remember No Zone change for NAT. For Security Policy Pre NAT IP and POST NAT Zone.

MarshpillowzOption: B

I think B

JRKhanOption: B

Both the pre and post nat addresses are in the inside zone so the destination zone in the nat policy will be Inside as well.

MetgatzOption: B

Public IP is Eth 1/2 which is Inside Zone - Option B inside

Andromeda1800Option: B

In my opinion B is correct.

ItVikOption: B

Inside as Public IP is Eth 1/2 which is Inside Zone.

ATRRHMNOption: B

Pre-NAT IP is 153.6.12.10 Post-NAT zone is the one found after routing lookup which is "inside" --> next-hop for 192.168.10.0/24 is set to 192.168.1.2 (Eth1/2) which is in the inside zone.

scanossaOption: B

Pre-destination IP is also in the Inside zone, check the routing table, it is a tricky question

scanossaOption: D

The original connection comes from Outside to Outside. When it translates it to a different destination IP address, you do not specify any zone at all

omgt2k2Option: B

The routing table shows that the destination network lives on the "inside" zone and not the "outside". look at this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGZCA0

MetgatzOption: B

Public IP is Eth 1/2 which is Inside Zone - Option B inside