ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 617 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 617
Topic #: 1
[All PCNSE Questions]

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available, resulting in the server sharing NAT IP 198.51.100.88 with another DMZ serve that uses IP address 192.168.197.60. Firewall security and NAT rules have been configured. The application team has confirmed that the new server is able to establish a secure connection to an external database with IP address 203.0.113.40.

The database team reports that they are unable to establish a secure connection to 198.51.100.88 from 203.0.113.40. However, it confirms a successful ping test to 198.51.100.88.

Referring to the NAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?

  • A. Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1.
  • B. Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address" both external servers as "Destination Address," and Source Translation remaining as is with bidirectional option enabled.
  • C. Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option.
  • D. Sharing a single NAT IP is possible for outbound connectivity not for inbound therefore a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Lara99 at Sept. 12, 2024, 10:53 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
af67d32
1 week, 2 days ago
Selected Answer: B
A: irrelevant B: works --> Static IP—The same address is always used for the translation and the port is unchanged. For example, if the source range is 192.168.0.1—192.168.0.10 and the translation range is 10.0.0.1—10.0.0.10, address 192.168.0.2 is always translated to 10.0.0.2. The address range is virtually unlimited. AND Optional) Enable bidirectional translation for a Static IP source address translation if you want the firewall to create a corresponding translation (NAT or NPTv6) in the opposite direction of the translation you configure C: works as well but tidier D: overkilling. Here we aske what can be done to resolve the issue, not change the whole setup. I go for B uness you prove me wrong
upvoted 1 times
...
PoBratsky
1 week, 5 days ago
Selected Answer: C
Answer is C. We can create separate dnat with source. If source is 203.0.113.40 translate to the 192.168.197.40, or if source is 203.0.113.60 translate to the 192.168.197.60. And with this dnat we can translate both traffic to the both servers with same port (for example 443).
upvoted 1 times
...
Yohinar
3 months ago
Selected Answer: D
D is correct
upvoted 1 times
...
Style07
5 months, 1 week ago
Selected Answer: D
Either D-NAT on port, or allocate another Public IP
upvoted 4 times
...
Lara99
5 months, 1 week ago
D- i have had to do this in my role.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago