Which statement about application inspection of SAF network services on an adaptive security appliance is true?
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.C.
The Adaptive Security Appliances do not have application inspection for the SAF network service.
When Unified CM uses a SAF-enabled H.323 trunk to place a call, the ASA cannot inspect the SAF packet to learn the ephemeral port number used in the H.225 signalling.
Therefore, in scenarios where call traffic from SAF- enabled H.323 trunks traverses the ASAs, ACLs must be configured on the ASAs to allow this signaling traffic.
The ACL configuration must account for all the ports used by the H.225 and H.245 signaling.
SAF (Service Advertisement Framework) is a Cisco Unified Communications feature that provides a mechanism for advertising and discovering services within a network. It is used to distribute service information between Call Control Elements (CCEs) in a network, allowing them to learn about and use each other's services.
When deploying SAF in a network, it is important to ensure that the network is secure and that the traffic between the CCEs is protected. To achieve this, the Cisco Adaptive Security Appliance (ASA) can be used to provide security and application inspection for SAF network services.
The question asks which statement about application inspection of SAF network services on an adaptive security appliance is true. Let's examine each answer choice in turn:
A. The adaptive security appliance can inspect and learn the ephemeral port numbers that are used by H.225 and H.245 on SAF-enabled H.323 trunks.
H.225 and H.245 are protocols used in H.323, a voice and video communication protocol. Ephemeral port numbers are dynamically assigned port numbers used for communication between endpoints. This answer suggests that the adaptive security appliance can inspect and learn these port numbers on SAF-enabled H.323 trunks. This statement is true, as the ASA can inspect and learn these port numbers through application inspection.
B. An explicit ACL must be configured on the adaptive security appliance for SAF-enabled SIP trunks.
SIP (Session Initiation Protocol) is another voice and video communication protocol. This answer suggests that an explicit ACL (Access Control List) must be configured on the ASA for SAF-enabled SIP trunks. This statement is false, as an explicit ACL is not required for SIP trunks specifically.
C. An explicit ACL must be configured on the adaptive security appliance for SAF-enabled H.323 trunks to account for ephemeral port numbers that are used by H.225 and H.245.
This answer is similar to answer choice B, but specifically mentions H.323 trunks. It suggests that an explicit ACL must be configured on the ASA for SAF-enabled H.323 trunks to account for ephemeral port numbers used by H.225 and H.245. This statement is false, as the ASA can inspect and learn these port numbers through application inspection without the need for an explicit ACL.
D. The adaptive security appliance can inspect and learn the ephemeral port numbers that are used by H.225 and H.245 on SAF-enabled H.323 trunks, but H.245 ports must be explicitly defined.
This answer is similar to answer choice A, but specifically mentions H.245 ports. It suggests that the ASA can inspect and learn the ephemeral port numbers used by H.225 on SAF-enabled H.323 trunks, but H.245 ports must be explicitly defined. This statement is false, as the ASA can inspect and learn both H.225 and H.245 port numbers through application inspection without the need for explicit definitions.
E. The adaptive security appliance can inspect and learn the ephemeral port numbers that are used by H.225 on SAF-enabled H.323 trunks, but H.245 ports must be explicitly defined.
This answer is identical to answer choice D, so the explanation remains the same.
F. The adaptive security appliance provides full application inspection for SAF network services.
This answer suggests that the ASA provides full application inspection for SAF network services. This statement is false, as the ASA does not provide full application inspection for all SAF network services. However, it can provide application inspection for H.225 and H.245 on SAF-enabled H.323 trunks.
Therefore, the correct answer is A: The adaptive security appliance can inspect and learn the ephemeral port numbers that are used by H.225 and H.245 on SAF-enabled H.323 trunks.