Click the Exhibit button. Your company has a Web server in the trust zone. You configure a
NAT rule to allow Internet users from the untrust zone to access this Web server. Internet
users use the public IP address 70.1.1.1 to access this Web server, but they report that the
server is not accessible. Referring to the exhibit, which configuration change would resolve
this problem?
A.
set security nat proxy-arp interface fe-0/0/2 address 70.1.1.0/24
B.
set security address-book global address web-server 192.168.1.11/32
C.
set security zones security-zone untrust host-inbound-traffic system-services http
D.
set security nat destination rule-set http rule 1 match source-address 0.0.0.0/0
Wrong. For destination nat you will need a proxy-arp rule. Correct answer is A.
Surely it couldn’t be A though – two reasons:
1). The answer specifies a /24 mask which you can’t actually do
2). The destination NAT is to the same IP address as the SRX’s interface, therefore it already knows how to respond to ARPs for that IP address.
Correct answer has to be B because the policy is wrong otherwise.