A customer is implementing Prisma Access (Managed by Strata Cloud Manager) to connect mobile users, branch locations, and business-to-business (B2B) partners to its data centers. The solution must meet these requirements: The mobile users must have internet filtering, data center connectivity, and remote site connectivity to the branch locations. The branch locations must have internet filtering and data center connectivity. The B2B partner connections must only have access to internally hosted proprietary applications running on non-standard ports. There are overlapping prefixes advertised by the B2B partners. Which two actions will meet the customer requirements for the B2B connections? (Choose two answers)

A. Configure service connections for data center connectivity.
B. Configure remote networks with NAT pools for each of the B2B connections.
C. Advertise the corresponding network prefixes using eBGP or static routes.
D. NAT the traffic at the customer premises equipment (CPE).

Correct Answer: C,D

Brave-Dump Clients Votes

BD 50%

CD 50%

Comments

Anonymous User 2026-03-01 12:05:56

Selected Answers: B, D

The correct two answers are
B. Configure Remote Networks with NAT pools for each B2B connection
and
D. NAT traffic at the customer premises equipment

The Core Problem: Overlapping Prefixes
Prisma Access has a fundamental constraint — subnets across all remote network locations, service connections, and mobile user IP pools cannot overlap with each other. Since B2B partners are advertising overlapping IP prefixes, you cannot simply onboard them as standard Remote Networks and advertise their routes — Prisma Access would not be able to distinguish traffic from different partners sharing the same subnet space.

Why B and D Are Correct
Option B — Configure Remote Networks with NAT pools for each B2B connection
By assigning a unique NAT pool to each B2B partner's Remote Network configuration, Prisma Access performs source NAT on the partner's traffic, translating each partner's overlapping source IPs into a unique, non-overlapping range. This makes each partner's traffic distinguishable as it traverses the Prisma Access backbone toward the data center applications, without requiring changes at the partner's CPE.

Option D — NAT traffic at the customer premises equipment
The Prisma Access documentation explicitly states that overlapping subnet limitations can be bypassed by configuring source NAT on the on-premises device (firewall, router, or SD-WAN device) that terminates the IPSec tunnel on the B2B partner side. The CPE NATes the partner's traffic to a unique source IP range before it enters the tunnel, so Prisma Access sees distinct, non-overlapping prefixes from each partner.

Two-Layer NAT Strategy
These two options represent a CPE-side vs. Prisma Access-side choice — both resolve the same problem at different layers:

Option D — Partner NATes before traffic enters the tunnel (preferred when you control or can negotiate with the B2B partner's edge device)

Option B — Prisma Access NATes after receiving the tunnel traffic (preferred when the partner CPE is not under your control)

Ayesha 2026-03-06 23:29:52

Selected Answers: C, D

To address the requirements for B2B connections with overlapping prefixes advertised by partners, specifically allowing access to internally hosted proprietary applications, the following two actions are necessary:

NAT the traffic at the customer premises equipment (CPE). This action involves the B2B partner's Customer Premises Equipment (CPE) performing Network Address Translation (NAT) on their internal overlapping IP addresses. By doing so, the B2B partner presents unique, non-overlapping IP addresses to Prisma Access. This is a fundamental networking solution for handling overlapping IP spaces, ensuring that traffic from different B2B partners can be uniquely identified and routed. This approach circumvents the limitation where Prisma Access remote network locations with overlapping subnets are restricted to internet-bound traffic only, allowing access to internal applications .

Advertise the corresponding network prefixes using eBGP or static routes. Once the B2B partner's CPE has performed NAT, the now unique and non-overlapping network prefixes can be reliably advertised to Prisma Access. This can be achieved using dynamic routing protocols like eBGP or by configuring static routes . Prisma Access will then learn these unique routes, enabling it to correctly forward traffic from the B2B partners to the internally hosted proprietary applications in your data centers. Without prior NAT, advertising overlapping prefixes would lead to routing conflicts.