Exam PCNSA topic 1 question 168 discussion

1. Understanding DNAT in this scenario: Public IP (1.1.1.100) is mapped to two different private IPs based on the destination port. HTTP (Port 80) → 10.1.1.100 SSH (Port 22) → 10.1.1.101 2. How security policies evaluate traffic in DNAT? Security policies use post-NAT (translated) IP addresses when defining the destination. However, in some cases, you may also need to define rules for pre-NAT addresses depending on the firewall behavior. Checking Answer Choices: A. Incorrect – Uses 1.1.1.100 (pre-NAT) as the destination, but for SSH, the correct post-NAT IP is 10.1.1.101. B. Incorrect – The destination should be DMZ, not Untrust. C. Incorrect – Uses Untrust to Untrust, which is incorrect. The policy should be from Untrust to DMZ. D. Correct – Covers traffic from Untrust to DMZ, allowing SSH (for 10.1.1.101) and Web Browsing (for 10.1.1.100). E. Correct – Covers web-browsing (Port 80) but uses 1.1.1.100 (pre-NAT). Some firewall configurations require allowing traffic to the public IP before NAT is applied.

A, E are correct

A, E are correct

To define Destination, Security policy uses Post-NAT zone and Pre-NAT address

If we check DNAT, HTTP is for 1.1.1.100 so answer E And answer E is for the 2 DNAT and correct ports

i think its D , E

A and E

A and E are correct answers.