Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 542

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server.

Given the rule below, what change should be made to make sure the NAT works as expected?

Change destination NAT zone to Trust_L3.

Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address.

Change Source NAT zone to Untrust_L3.

Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

Correct Answer: D

To make sure the NAT works as expected in a U-NAT scenario where both the user and the server are in the same zone (Trust_L3), it is necessary to add a source translation. This is because when the user tries to access the server using its public (NAT) IP, the server's response needs to be sent back through the firewall to maintain session symmetry. Without source translation, the server would reply directly to the user's internal IP, bypassing the firewall and resulting in asymmetric routing, which is typically rejected by the client. Therefore, translating the original source IP to the firewall's interface address ensures that all traffic flows correctly through the firewall.

Discussion

sov4Option: D

D. this on on the exam... July 2023

netsofOption: D

Adding my vote to D. Same zone U-turn NAT needs source NAT.

[Removed]Option: D

D https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

PochexOption: D

D is correct, review the example of the U-turn NAT for Hosts and Web Servers in the Same Zone, refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

Andromeda1800Option: D

U-NAT for the same zone requires source address translation as well.

Andromeda1800

To expand my vote, if there wouldn't be source address translation we'd have two issues... 1. reply from server would be directly to the client and not through the firewall which is asymmetry 2. Client would reject server's response since source address of the response would be web server's private ip address and not the public address. Clients usually reject responses from source address which were not destination address in their request.

mercysayno765Option: D

I think D is correct https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

MarshpillowzOption: D

D is correct

carson1998Option: D

Lol - Both of these devices are on the same L2 segment. The traffic between these devices would not go above the switch. But I guess D is correct.

regnojispi

Actually no - The switch does not know this is going to the NATted address yet so it would forward it out to the FW.