| Question 1 | When you need inbound access through the PIX firewall, which commands are required? (Select two.) -
A. pat -
B. access-list -
C. pass-through -
D. nat -
E. static |
| A1: | Answers B and E are correct. To allow inbound access to the PIX firewall, the static command is needed to create a static NAT entry to direct the traffic inbound. Also, the access-list command is needed to allow traffic into the interface. Answers A and D are incorrect because the pat and nat commands are used for traffic exiting the PIX firewall. Answer C is incorrect because the pass-through command does not exist. |
| Question 2 | When creating turbo ACLs, why would you not use them on the smaller PIX firewall models? -
A. They are not supported on the PIX 506. -
B. They consume too much CPU power. -
C. They are too complicated to set up. -
D. They require a large amount of memory. -
E. They are supported only on PIX 525 and PIX 535. |
| A2: | Answer D is correct. Turbo ACLs require a minimum of 2MB of free memory and 16MB of flash to operate . Smaller firewalls such as the 506 can use them, but turbo ACLs typically consume too much flash memory and should therefore be used only when large numbers of access list entries exist. Large firewalls have more memory and can be configured with several turbo ACLs. Answer A is incorrect because turbo ACLs are supported on the 506; however, they are not supported on the 501. Answer B is incorrect because turbo ACLs consume a lot of CPU power only when you compile them. Otherwise, they run faster than normal ACLs. Answer C is incorrect because turbo ACLs are very easy to set up; you only need to add the parameter compiled on the access list. Answer E is incorrect because turbo ACLs are supported on all new PIX firewalls except the 501. |
| Question 3 | Which command is used to bind an ACL to an interface? -
A. access- group -
B. object-group -
C. access-list -
D. bind-interface |
| A3: | Answer A is correct. The access-group command is used to bind an access list to an interface. Answer B is incorrect because the object-group command is used to create new object groups. Answer C is incorrect because the access-list command creates entries for ACLs and doesn't bind them to an interface. Answer D is incorrect because the bind-interface command does not exist. |
| Question 4 | Why would you bind an access list to the inside interface? -
A. To control which traffic can enter the PIX firewall from the outside interface -
B. To control outbound traffic -
C. To allow outside interface traffic to the inside internal users -
D. Because access lists can be set only on the outside interface |
| A4: | Answer B is correct. Access lists set on the inside interface enable you to control which traffic can enter the firewall. This can be used to block internal addresses from entering the PIX firewall and traveling to specific outside IP addresses. Answers A and C are incorrect because binding to the outside interface would control traffic coming in from the outside. Answer D is incorrect because an ACL can be placed on any interface. |
| Question 5 | Which object group types can be created on the PIX firewall? (Select four.) -
A. Service -
B. Port -
C. ICMP type -
D. DNS -
E. Protocol -
F. Host -
G. Network |
| A5: | Answers A, C, E, and G are correct. The four types of object groups are service, protocol, ICMP type, and network. Therefore, answers B, D, and F are incorrect. |
| Question 6 | Object groups can be members of other object groups. |
| A6: | Answer A is correct. Object groups can be members of other object groups as long as all the groups are the same type. Therefore, answer B is incorrect. |
| Question 7 | Which command allows you to delete object groups? (Select two.) -
A. no object-group -
B. delete object-group -
C. remove object-group -
D. clear object-group |
| A7: | Answers A and D are correct. To delete object groups, you use the no object-group or clear object-group command. The no object-group command deletes a single group, whereas the clear object-group command can delete all object groups. Answers B and C do not exist; therefore, they are incorrect. |
| Question 8 | What must be done to allow traffic to pass from the outside interface to a Web server behind the interface named dmz ? (Select two.) -
A. Create a static mapping entry to the outside interface. -
B. Create a static mapping entry to the dmz interface. -
C. Create a static mapping entry to the Web server. -
D. Remove the ACL on the outside interface. -
E. Link an ACL to the outside interface. |
| A8: | Answers C and E are correct. To allow traffic initiated on the outside to pass into the DMZ, a static mapping of a global address to the Web server must be created. Secondly, a conduit command or ACL must be used to permit traffic to come in from the outside interface. Answer A would not allow access to the Web server and is therefore incorrect. Answer B would only map a global address to the firewall address and is therefore also incorrect. Answer D is incorrect because you must have an ACL binding to the outside interface to allow traffic in. |
| Question 9 | What is the difference between access-list and conduit commands? -
A. access-list commands can only have deny statements. -
B. conduit command can only have permit statements. -
C. conduit commands are applied directly to an interface. -
D. access-list commands list the source and then destination, whereas conduit commands list the destination and then source. |
| A9: | Answer D is correct. access-list commands list the source and then the destination, whereas conduit commands are reversed , listing the destination followed by the source. Here are two examples: access-list (SOURCE)(DESTINATION) and conduit (DESTINATION)(SOURCE) . Answers A and B are incorrect because both the access-list and conduit commands support permit and deny statements. Answer C is incorrect because the conduit command is not linked or assigned to a specific interface. |
| Question 10 | When setting up complex access lists, what could you use to minimize the number of access list entries to be entered? |
| A10: | Answer B is correct. By using object grouping, you can create small object groups of entries and reference them in other groups or the ACL. This would minimize the number of access list entries needed to be typed in. Answer A is incorrect because conduit commands would not minimize the number of entries. Answer C is incorrect because turbo ACLs speed up the processing of ACLs but do not minimize the number of entries. Answer D is incorrect because static mappings are used to transform a global address to an internal address. |
