| Question 1 |  When you need inbound access through the PIX firewall, which commands are required? (Select two.)     A.  pat    B.  access-list    C.  pass-through    D.  nat    E.  static   | 
  | A1: |  Answers B and E are correct. To allow inbound access to the PIX firewall, the  static  command is needed to create a static NAT entry to direct the traffic inbound. Also, the  access-list  command is needed to allow traffic into the interface. Answers A and D are incorrect because the  pat  and  nat  commands are used for traffic exiting the PIX firewall. Answer C is incorrect because the  pass-through  command does not exist.  | 
  | Question 2 |  When creating turbo ACLs, why would you not use them on the smaller PIX firewall models?     A. They are not supported on the PIX 506.   B. They consume too much CPU power.   C. They are too complicated to set up.   D. They require a large amount of memory.   E. They are supported only on PIX 525 and PIX 535.  | 
  | A2: |  Answer D is correct. Turbo ACLs require a minimum of 2MB of free memory and 16MB of flash to operate . Smaller firewalls such as the 506 can use them, but turbo ACLs typically consume too much flash memory and should therefore be used only when large numbers of access list entries exist. Large firewalls have more memory and can be configured with several turbo ACLs. Answer A is incorrect because turbo ACLs are supported on the 506; however, they are not supported on the 501. Answer B is incorrect because turbo ACLs consume a lot of CPU power only when you compile them. Otherwise, they run faster than normal ACLs. Answer C is incorrect because turbo ACLs are very easy to set up; you only need to add the parameter  compiled  on the access list. Answer E is incorrect because turbo ACLs are supported on all new PIX firewalls except the 501.  | 
  | Question 3 |  Which command is used to bind an ACL to an interface?     A.  access- group    B.  object-group    C.  access-list    D.  bind-interface   | 
  | A3: |  Answer A is correct. The  access-group  command is used to bind an access list to an interface. Answer B is incorrect because the  object-group  command is used to create new object groups. Answer C is incorrect because the  access-list  command creates entries for ACLs and doesn't bind them to an interface. Answer D is incorrect because the  bind-interface  command does not exist.  | 
  | Question 4 |  Why would you bind an access list to the inside interface?     A. To control which traffic can enter the PIX firewall from the outside interface   B. To control outbound traffic   C. To allow outside interface traffic to the inside internal users   D. Because access lists can be set only on the outside interface  | 
  | A4: |  Answer B is correct. Access lists set on the inside interface enable you to control which traffic can enter the firewall. This can be used to block internal addresses from entering the PIX firewall and traveling to specific outside IP addresses. Answers A and C are incorrect because binding to the outside interface would control traffic coming in from the outside. Answer D is incorrect because an ACL can be placed on any interface.  | 
  | Question 5 |  Which object group types can be created on the PIX firewall? (Select four.)     A. Service   B. Port   C. ICMP type   D. DNS   E. Protocol   F. Host   G. Network  | 
  | A5: |  Answers A, C, E, and G are correct. The four types of object groups are service, protocol, ICMP type, and network. Therefore, answers B, D, and F are incorrect.  | 
  | Question 6 |  Object groups can be members of other object groups.  | 
  | A6: |  Answer A is correct. Object groups can be members of other object groups as long as all the groups are the same type. Therefore, answer B is incorrect.  | 
  | Question 7 |  Which command allows you to delete object groups? (Select two.)     A.  no object-group    B.  delete object-group    C.  remove object-group    D.  clear object-group   | 
  | A7: |  Answers A and D are correct. To delete object groups, you use the  no object-group  or  clear object-group  command. The  no object-group  command deletes a single group, whereas the  clear object-group  command can delete all object groups. Answers B and C do not exist; therefore, they are incorrect.  | 
  | Question 8 |  What must be done to allow traffic to pass from the outside interface to a Web server behind the interface named  dmz  ? (Select two.)     A. Create a static mapping entry to the outside interface.   B. Create a static mapping entry to the  dmz  interface.   C. Create a static mapping entry to the Web server.   D. Remove the ACL on the outside interface.   E. Link an ACL to the outside interface.  | 
  | A8: |  Answers C and E are correct. To allow traffic initiated on the outside to pass into the DMZ, a static mapping of a global address to the Web server must be created. Secondly, a  conduit  command or ACL must be used to permit traffic to come in from the outside interface. Answer A would not allow access to the Web server and is therefore incorrect. Answer B would only map a global address to the firewall address and is therefore also incorrect. Answer D is incorrect because you must have an ACL binding to the outside interface to allow traffic in.  | 
  | Question 9 |  What is the difference between  access-list  and  conduit  commands?     A.  access-list  commands can only have deny statements.   B.  conduit  command can only have permit statements.   C.  conduit  commands are applied directly to an interface.   D.  access-list  commands list the source and then destination, whereas  conduit  commands list the destination and then source.  | 
  | A9: |  Answer D is correct.  access-list  commands list the source and then the destination, whereas  conduit  commands are reversed , listing the destination followed by the source. Here are two examples:  access-list (SOURCE)(DESTINATION)  and  conduit (DESTINATION)(SOURCE)  . Answers A and B are incorrect because both the  access-list  and  conduit  commands support permit and deny statements. Answer C is incorrect because the  conduit  command is not linked or assigned to a specific interface.  | 
  | Question 10 |  When setting up complex access lists, what could you use to minimize the number of access list entries to be entered?  | 
  | A10: |  Answer B is correct. By using object grouping, you can create small object groups of entries and reference them in other groups or the ACL. This would minimize the number of access list entries needed to be typed in. Answer A is incorrect because  conduit  commands would not minimize the number of entries. Answer C is incorrect because turbo ACLs speed up the processing of ACLs but do not minimize the number of entries. Answer D is incorrect because static mappings are used to transform a global address to an internal address.  |