In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.16.1.

In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?
A . NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Source Translation: Static IP / 172.16.15.1
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Trust –
Destination IP: 172.16.15.10 –
Application: ssh
B . NAT Rule:
Source Zone: Trust –
Source IP: 192.168.15.0/24 –
Destination Zone: Trust –
Destination IP: 192.168.15.1 –
Destination Translation: Static IP / 172.16.15.10
Security Rule:
Source Zone: Trust –
Source IP: 192.168.15.0/24 –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh
C . NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Trust –
Destination IP: 192.168.15.1 –
Destination Translation: Static IP /172.16.15.10
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh
D . NAT Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Source Translation: dynamic-ip-and-port / ethernet1/4
Security Rule:
Source Zone: Trust –
Source IP: Any –
Destination Zone: Server –
Destination IP: 172.16.15.10 –
Application: ssh

View Answer

Answer: D

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhwCAC

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/source-nat-and-destination-nat/source-nat