Exam PCNSE topic 1 question 501 discussion

Answer should be D .. Outside to outside based on below : The destination zone in the NAT rule is determined after the route lookup of the destination IP address in the original packet (that is, the pre-NAT destination IP address). https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

The answer is D, not B guys. We don't care about the routing table. When a paccket arrive on the outside Interface, The PAN checks first if there is a DNAT configured for this trafic, and If the trafic is allowed. Then It can proceed with the forwarding lookup (Routing table). That's why we need Outside>Outside NAT. B is totally wrong. There is no NAT on the Inside zone. FOrget the Routing table. It doesn't matter.

Answer is D. Refer to https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping and the first image.

D is correct - Original packet for DNAT is untrust to untrust for zone.

Should be the Untrust or outside zone to/from regardless of the routing table.

took and passed exam today. I answered Outside. DNAT Source and DST Zone should be PreNAT zone. I got few new questions that aren't here. If you at least study the concept and use this website as an extra study material, you should be good.

The correct answer should be B, first the packet could go through the firewall without nat, then the destination can be changed while it goes from false to internal, after nat the firewall knows the route to follow.

this was in my exam 09/08/2024

The pre-nat ip address is not on firewall itself and just routed to the inside network, so the Destination zone will be INSIDE

B -Inside

This question was on my exam on July 23rd, 2024

Pre-NAT IP is 153.6.12.10 Post-NAT zone is the one found after routing lookup which is "inside" --> next-hop for 192.168.10.0/24 is set to 192.168.1.2 (Eth1/2) which is in the inside zone.

Pre-destination IP is also in the Inside zone, check the routing table, it is a tricky question

outside to outside. always remember No Zone change for NAT. For Security Policy Pre NAT IP and POST NAT Zone.

net 153.6.12.0/27 will be routed to inside and is not an outside ip.

I just tested it in the lab, and the answer is B. Inside. NAT uses the pre-NAT zone. The Zone is determined by the route lookup which for the destination IP is "inside".

The webserver having this 153.6.12.10 address that appears to be reachable through eth1/2 on the inside zone is a U-NAT situation - where internal users need to access a server using the server's external public IP instead of its private IP address. But, it doesn't mean that the internet users are accessing the network through eth1/2 on the firewall, as shown in route table.