Exam PCNSE topic 1 question 617 discussion

Actual exam question from Palo Alto Networks's PCNSE

Question #: 617
Topic #: 1

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available, resulting in the server sharing NAT IP 198.51.100.88 with another DMZ serve that uses IP address 192.168.197.60. Firewall security and NAT rules have been configured. The application team has confirmed that the new server is able to establish a secure connection to an external database with IP address 203.0.113.40.

The database team reports that they are unable to establish a secure connection to 198.51.100.88 from 203.0.113.40. However, it confirms a successful ping test to 198.51.100.88.

Referring to the NAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?

A. Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.
B. Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address" both external servers as "Destination Address," and Source Translation remaining as is with bidirectional option enabled.
C. Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.
D. Sharing a single NAT IP is possible for outbound connectivity not for inbound therefore a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.

Show Suggested Answer

Suggested Answer: D 🗳️

by Lara99 at Sept. 12, 2024, 10:53 a.m.

Comments

Submit Cancel

Grupalia1925

5 days, 18 hours ago

Selected Answer: C

La opción bidirectional crea, de forma implícita, una regla de DNAT 1:1: Todo tráfico entrante a 198.51.100.88 se traduce al primer servidor cuya regla se evalúa. Si dos reglas usan la misma IP pública con bidirectional, la primera que coincida “secuestra” todo el flujo entrante, dejando al otro servidor sin servicio. Separar SNAT y DNAT elimina el conflicto: Mantienes dos reglas de SNAT (una por cada servidor) para la salida. Creas dos reglas de DNAT explícitas, cada una con criterios que las diferencien (por ejemplo, el origen del servidor de base de datos 203.0.113.60 o 203.0.113.40, o bien utilizando puertos diferentes si fuera necesario). Así, el tráfico entrante dirigido a la misma IP (198.51.100.88) se distribuye correctamente, y ambos servidores funcionan en paralelo sin requerir otra IP pública.

upvoted 1 times

...

af67d32

4 months, 4 weeks ago

Selected Answer: B

A: irrelevant B: works --> Static IP—The same address is always used for the translation and the port is unchanged. For example, if the source range is 192.168.0.1—192.168.0.10 and the translation range is 10.0.0.1—10.0.0.10, address 192.168.0.2 is always translated to 10.0.0.2. The address range is virtually unlimited. AND Optional) Enable bidirectional translation for a Static IP source address translation if you want the firewall to create a corresponding translation (NAT or NPTv6) in the opposite direction of the translation you configure C: works as well but tidier D: overkilling. Here we aske what can be done to resolve the issue, not change the whole setup. I go for B uness you prove me wrong

upvoted 1 times

...

PoBratsky

5 months ago

Selected Answer: C

Answer is C. We can create separate dnat with source. If source is 203.0.113.40 translate to the 192.168.197.40, or if source is 203.0.113.60 translate to the 192.168.197.60. And with this dnat we can translate both traffic to the both servers with same port (for example 443).

upvoted 2 times

...