Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.15.1.
In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
For the users in the trust zone (192.168.15.x) to SSH to the server which only accepts requests from 172.16.15.1, source NAT (SNAT) must be used to translate the source IP address to 172.16.15.1. This allows the server to recognize the incoming request as coming from the allowed IP address. The source translation should be performed dynamically using the firewall interface (ethernet1/4) connected to the server. The security rule should permit traffic from the trust zone to the server zone for SSH application traffic. Hence, the correct configuration is specified in option D.
We should use source NAT for the Trust zone in this case. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat
Correct answer is D SNAT => source zone (pre-nat): TRUST , dest zone (pre-nat) : SERVER Policy => source zone (pre-nat): TRUST , dest zone (post-nat) : SERVER
Keep in mind that the translation of the IP address and port do not occur until the packet leaves the firewall. The NAT rules and security policies apply to the original IP address (the pre-NAT address). A NAT rule is configured based on the zone associated with a pre-NAT IP address. Security policies differ from NAT rules because security policies examine post-NAT zones to determine whether the packet is allowed or not. Because the very nature of NAT is to modify source or destination IP addresses, which can result in modifying the packet’s outgoing interface and zone, security policies are enforced on the post-NAT zone.
I tottally agree! Correct answer B
D S-NAT is what we're looking for here
So here's why it's not B: Security Policies should have pre-NAT IPs and post-NAT Zones (https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/nat/nat-policy-rules/nat-policy-overview). For B to be correct (which it could have been, mind) the pre-NAT IP in the Security Policy's destination IP should've been 192.168.15.1. This leaves D as the only correct answer.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/source-and-destination-nat-example the example is here
based on example since 80.80.80.80 is not intended for internal setup. There is no need to have a post NAT IP
Correct answer is B In NAT source zone and destination is Trust In policy rule, source is Trust and destination Server
Everyone is saying D, but I am pretty sure it's B. The NAT rule for Source NAT is to use pre zones, so Trust/Trust, where as for the security rule, its Post Zone, Trust/Server.
Sorry ignore me!
Why not A ? This is the specific source ip
The question calls for source NAT, ie make the request appear to come from 172.16.15.1, so D is the only correct option (B describes destination NAT)
It is D and not C because the translation you want to perform won't be of the destination, but of the source of the request. So that when you get to the SSH server (which was your original destination from beggining to end) it sees that the origin of the request was the 172.16.15.1 that it is expecting. Without source NAT translation, the source IP would be 192.168.15.47 and the server would reject it.
Answer is D
Answer is D As the server only allows packets coming from IP 172.16.15.1, then Source NAT should be used. If we go for option B, then the source will remain with the original IP, which is 192.168.15.47 and the server won't allow those packets.
explanation : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC
in NAT the source and dest are the same(source)
This video helps explain why: https://www.youtube.com/watch?v=Ahrao6kBg8w
It will be source NAT