Exam Prep Questions

Question 1

What are two methods of address translation?

  • A. PATH

  • B. Dynamic

  • C. Static

  • D. Manual


Answers B and C are correct. Two types of translations are dynamic and static. Dynamic translation uses NAT or PAT to translate internal addresses to global external addresses. Static translation is the process of creating a permanent, one-to-one mapping of an internal address to a global address. Answer D manual is wrong. Although static mappings are a manual process, the most correct answer between static and manual is static. Answer A, PATH, has nothing to do with PIX firewall translations. Therefore, answer A is incorrect.

Question 2

Which command would you use to display only active static translations?

  • A. show xlate

  • B. show xlate state static

  • C. show static

  • D. show static active


Answers B is correct. The show xlate state static command displays only the active static entries in the xlate table. show xlate displays both static and dynamic entries in the table; the question asks for only active static translations, so answer A is incorrect. The show static command displays the manual static mappings you have created, not the actual active connections, so answer C is incorrect. The show static active command does not exist, so answer D is incorrect.

Question 3

What is the default xlate table entry timeout?

  • A. 5 minutes

  • B. 30 minutes

  • C. 60 minutes

  • D. 180 minutes


Answers D is correct. The default xlate table entry timeout is 180 minutes. If no traffic is using the xlate slot after 180 minutes, the entry is removed. Therefore, answers A, B, and C are incorrect.

Question 4

Packets travel through the PIX firewall if no connection or xlate entries exist.

  • A. True

  • B. False


Answer B is correct. Without a connection state or xlate slot, traffic will not flow through the PIX firewall. Normally, traffic from high security level interfaces can freely traverse the firewall, but in doing so a connection slot is created. Therefore, answer A is incorrect.

Question 5

What does the xlate keyword do?

  • A. It views and clears translations.

  • B. It sets timeout values.

  • C. It configures static mappings.

  • D. It creates translations.


Answer A is correct. The xlate command can be used to view and clear xlate translations. The timeout command is used to set timeout values, so answer B is incorrect. To configure static mappings, the static command is used, so answer C is incorrect. The xlate command does not create translations, so answer D is incorrect.

Question 6

What function does the NAT command perform? (Select two.)

  • A. It enables address translations.

  • B. It disables address translations.

  • C. It creates active address translations.

  • D. It removes active address translations.


Answers A and B are correct. The nat command is used to create address pools that will be translated with the corresponding global command. The no nat command removes NAT configuration statements. The nat 0 command stops translations from occurring. This command does not create active address translations, so answer C is incorrect. It also does not remove active address translations, so answer D is incorrect.

Question 7

If you have addresses that don't need network address translation, which command would you use?

  • A. no nat

  • B. nat 0

  • C. no nat 0

  • D. global 0


Answer B is correct. The nat 0 command enables you to specify addresses that you don't want the PIX firewall to translate. This works well when you have computers in a DMZ that already have Internet public addresses but are protected by a firewall. The no nat command turns off NAT altogether, so answer A is incorrect. no nat 0 removes the NAT bypassing command, so answer C is incorrect. The global 0 command doesn't exist, so answer D is incorrect.

Question 8

Why would you choose not to use PAT?

  • A. PAT works only when you have few users.

  • B. PAT doesn't work with Telnet.

  • C. PAT doesn't work with most multimedia protocols.

  • D. It's not available on the PIX firewall.


Answer C is correct. Some multimedia protocols do not work across PAT because they use specific port numbers that PAT might have allocated to other users. If you need to support these protocols, use NAT because it translates only IP addresses and not ports. PAT can support 64,000 ports for users, so answer A is incorrect. Answer B is incorrect because PAT does work well with Telnet. PAT is available on the PIX firewall; therefore, answer D is incorrect.

Question 9

Why would you choose to use PAT over NAT?

  • A. You have enough IP address for all your internal users.

  • B. You have only a single IP address for all your internal users.

  • C. You have a small PIX firewall.

  • D. You want to save on memory allocations on your firewall.


Answer B is correct. PAT is a good choice when you have only a single IP address from your ISP. By using PAT, all your internal users can share a single IP address, and PAT uses port numbers for resolution. If you have enough IP addresses for all your internal users, you can use NAT, so answer A is incorrect. PAT is available on all sizes of PIX firewall and will not save you any memory by using it; therefore, answers C and D are incorrect.

Question 10

To allow inside users to access the outside, which commands are necessary? (Select two.)

  • A. conduit

  • B. access-list

  • C. pat

  • D. nat

  • E. global

  • F. xlate


Answers D and E are correct. The two commands necessary to allow access outside the PIX are nat and the corresponding global command. conduit commands allow inbound access and must be used in conjunction with a static command, so answer A is incorrect. The access-list command enables you to control who can enter an interface, so answer B is incorrect. The pat command does not exist, making answer C incorrect. xlate is used to view or clear translations, so answer F is incorrect.

Question 11

Select two reasons to use NAT.

  • A. To hide internal computers' real IP addresses from external users

  • B. To allow traffic to flow between interfaces

  • C. To create routing tables

  • D. To conserve non-RFC 1918 for Internet users


Answers A and D are correct. NAT enables you to hide internal addresses from external users. NAT can also prolong the life of IPv4 by allowing private users to share addresses as they travel across the Internet. Answer B is incorrect because, when NAT helps translate internal addresses to external global addresses from the inside to the outside, static and conduit commands or access lists are needed to allow traffic from the outside interface to the inside interface. So, answer B is not totally correct; NAT alone does not allow all traffic to flow between interfaces. Answer C is incorrect because the route command is used to create routing table entries.

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net