A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below.
What should the NAT rule destination zone be set to?
The destination zone in a NAT rule should be associated with where the packet is ultimately routed after the NAT translation is applied. Given that the pre-NAT IP address '153.6.12.10' resolves the route to interface 'ethernet1/2', which is linked to the 'Inside' security zone in the routing table, the destination zone should be set to 'Inside'. The NAT rules are configured based on the zone associated with the pre-NAT IP address as this aligns with the internal routing and firewall configuration.
Answer should be D .. Outside to outside based on below : The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
I know both routing entries refer to Inside but the question is asking about the configuration part not the logical flow .. we need to configure outside > to > outside
No Inside should be correct : )
No Inside should be correct : )
Good thinking you are correct, but check again the Routing table...
The answer is D, not B guys. We don't care about the routing table. When a paccket arrive on the outside Interface, The PAN checks first if there is a DNAT configured for this trafic, and If the trafic is allowed. Then It can proceed with the forwarding lookup (Routing table). That's why we need Outside>Outside NAT. B is totally wrong. There is no NAT on the Inside zone. FOrget the Routing table. It doesn't matter.
> The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
My bad. The response is B
A NAT rule is configured based on the zone associated with a pre-NAT IP address. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview
Answer is D, a NAT rule is configured based on the zone associated with a pre-NAT IP address
Answer is D, a NAT rule is configured based on the zone associated with a pre-NAT IP address
A NAT rule is configured based on the zone associated with a pre-NAT IP address. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview
Answer is D, a NAT rule is configured based on the zone associated with a pre-NAT IP address
Answer is D, a NAT rule is configured based on the zone associated with a pre-NAT IP address
I just tested it in the lab, and the answer is B. Inside. NAT uses the pre-NAT zone. The Zone is determined by the route lookup which for the destination IP is "inside".
net 153.6.12.0/27 will be routed to inside and is not an outside ip.
correcting my answer. Should be B. Route 1 Matches the 153 public. Then Route 2 matches the dest. Eth1/2 is used for both routes. Eth1/2 is inside.
Answer is D, but I get why some people are saying B, since DNAT is one of the trickiest things to get right in PAN fws. It's just a matter of knowing and remembering the NAT formula, so let me explain: Everyone voting for B is correct in that the final destination zone for the traffic is going to be inside, but that's not the question here; the question is "what should the NAT rule dest zone be set to?", basically, "what should you use as the dest zone for your NAT rule?", so they're just throwing routing in there to throw you off, because for this question routing doesn't even matter because it will happen ***after*** NAT policy lookup. If you have ever configured NAT for public access to your website, for example, you know usually source and dest zones for DNAT are the same in PAN (outside to outside); routing will take care of sending the packet to it's real destination after NAT policy is evaluated.
From this link (that shows you an image of the actual policy): https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping "The firewall receives the ARP request packet for destination 192.0.2.100 on the Ethernet1/1 interface and processes the request. The firewall responds to the ARP request with its own MAC address because of the destination NAT rule configured. The NAT rules are evaluated for a match. For the destination IP address to be translated, a destination NAT rule from zone Untrust-L3 to zone Untrust-L3 must be created to translate the destination IP of 192.0.2.100 to 10.1.1.100. After determining the translated address, the firewall performs a route lookup for destination 10.1.1.100 to determine the egress interface. In this example, the egress interface is Ethernet1/2 in zone DMZ."
And if you're worried about the fact that outside is not the real dest zone, remember the "formula" for configuring DNAT on PAN is: NAT rule: pre-NAT IPs + pre-NAT zones Sec rule: pre-NAT source zones + pre-NAT source and dest IP + post-NAT zone (yes, it doesn't make sense on paper to use the "real" dest zone for the sec rule with a pre-nat IP, but that's just how PAN does it. You can confirm this with the link above). Since the secpol is going to be evaluated after NAT and route lookup, using the pre-NAT source zone and post-NAT dest zone for the sec rule is going to take care of the correct routing and allowing of the packet. If you have ever taken the Firewall Essentials class, check your student manual for the destination NAT section. Answer is D.
Pre NAT zone is inside not outside
why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too
why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too
Pre NAT zone is inside not outside
why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too
why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too
And if you're worried about the fact that outside is not the real dest zone, remember the "formula" for configuring DNAT on PAN is: NAT rule: pre-NAT IPs + pre-NAT zones Sec rule: pre-NAT source zones + pre-NAT source and dest IP + post-NAT zone (yes, it doesn't make sense on paper to use the "real" dest zone for the sec rule with a pre-nat IP, but that's just how PAN does it. You can confirm this with the link above). Since the secpol is going to be evaluated after NAT and route lookup, using the pre-NAT source zone and post-NAT dest zone for the sec rule is going to take care of the correct routing and allowing of the packet. If you have ever taken the Firewall Essentials class, check your student manual for the destination NAT section. Answer is D.
Pre NAT zone is inside not outside
why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too
why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too
Pre NAT zone is inside not outside
why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too
why? traffic is comming from the outside to the internal server from Outside to the public IP which is in the Outside zone too
The webserver having this 153.6.12.10 address that appears to be reachable through eth1/2 on the inside zone is a U-NAT situation - where internal users need to access a server using the server's external public IP instead of its private IP address. But, it doesn't mean that the internet users are accessing the network through eth1/2 on the firewall, as shown in route table.
I think it is B. It looks like based on the routes both the Original Destination and Translated Destination would go to the Inside zone. I pull this same zone-routing trick at work when routing our publicly owned space internally to make NAT zones less confusing.
outside to outside
B Inside. Both the pre-NAT and post-NAT IPs are in the Inside zone. Inside would be the source and destination zone.
Additional info for those that realize the pre-Nat ip isn’t on the firewall, but exists as a route. According to this doc this is acceptable. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGZCA0
outside to outside. always remember No Zone change for NAT. For Security Policy Pre NAT IP and POST NAT Zone.
D is the answer
correcting my answer. Should be B. Route 1 Matches the 153 public. Then Route 2 matches the dest. Eth1/2 is used for both routes. Eth1/2 is inside.
D. Receiving from OUTSIDE to OUTSIDE zone (in DSTNAT) https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-with-port-translation-example#id053beeb9-fde0-445b-99d0-5dd5a1000b7c
Your assuming public ip = outside. The routes do not support that assumption.
D: Question related to NAT Rule destination, so source outside to destination outside B: would be Destination Zone for policy creation after determining the translated address, the firewall performs a route lookup to determine the egress interface and zone.
Answer D,because rule NAT Outside-Oustside and rule Security is Outside-Inside.
The most common mistakes when configuring NAT and security rules are the references to the zones and address objects. The addresses used in destination NAT rules always refer to the original IP address in the packet (that is, the pre-translated address). The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping
"The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address)." This statement is not correct and your own link proves it: The NAT rules are evaluated for a match. For the destination IP address to be translated, a destination NAT rule from zone Untrust-L3 to zone Untrust-L3 must be created to translate the destination IP of 192.0.2.100 to 10.1.1.100. After determining the translated address, the firewall performs a route lookup for destination 10.1.1.100 to determine the egress interface. In this example, the egress interface is Ethernet1/2 in zone DMZ.
There isn't a DMZ zone in the question so I'm not sure why you keep quoting the explanation with DMZ.
There isn't a DMZ zone in the question so I'm not sure why you keep quoting the explanation with DMZ.
Inside as Public IP is Eth 1/2 which is Inside Zone.
In my opinion B is correct.
Public IP is Eth 1/2 which is Inside Zone - Option B inside
Both the pre and post nat addresses are in the inside zone so the destination zone in the nat policy will be Inside as well.
I think B
Pre-destination IP is also in the Inside zone, check the routing table, it is a tricky question
The pre-nat ip address is not on firewall itself and just routed to the inside network, so the Destination zone will be INSIDE
this was in my exam 09/08/2024
took and passed exam today. I answered Outside. DNAT Source and DST Zone should be PreNAT zone. I got few new questions that aren't here. If you at least study the concept and use this website as an extra study material, you should be good.
Answer is D. Refer to https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping and the first image.
Its B.... here is another obnoxious PCNSE question that wants to trip you up.
From the still definitive NAT resource [Understanding and Configuring NAT Rev 4.1C (https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000D83FAAS&field=Attachment_1__Body__s)], "The addresses used in destination NAT rules always refer to the original IP address in the packet (i.e. the pre-translated address). The destination zone in the NAT rule is determined after the route lookup of the destination IP address on the original packet (i.e. the pre-NAT destination IP address)."
This is a bit of a tough one. The routing table shows that the destination network lives on the "inside" zone and not the "outside".
Public IP is Eth 1/2 which is Inside Zone - Option B inside
The routing table shows that the destination network lives on the "inside" zone and not the "outside". look at this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGZCA0
The original connection comes from Outside to Outside. When it translates it to a different destination IP address, you do not specify any zone at all
Pre-NAT IP is 153.6.12.10 Post-NAT zone is the one found after routing lookup which is "inside" --> next-hop for 192.168.10.0/24 is set to 192.168.1.2 (Eth1/2) which is in the inside zone.
This question was on my exam on July 23rd, 2024
B -Inside
The correct answer should be B, first the packet could go through the firewall without nat, then the destination can be changed while it goes from false to internal, after nat the firewall knows the route to follow.
Should be the Untrust or outside zone to/from regardless of the routing table.
D is correct - Original packet for DNAT is untrust to untrust for zone.
The destination zone in NAT rule is OUTSIDE, and the destination zone in security zone is INSIDE
The naming of the interfaces seems to be an attempt at a trick question.
B is correct, tested in lab
It is B, the dest zone in the NAT rule must be that which the firewall has in its routing table for the pre-NAT dest address. I often check this with 'test routing fib-lookup vrouter vrname 1.1.1.1'
Answer is D --> for destination NAT the Destination zone is always the same as the source zone