Which statement about application inspection of SAF network services on an adaptive security appliance is true?

Which statement about application inspection of SAF network services on an adaptive security
appliance is true?

Which statement about application inspection of SAF network services on an adaptive security
appliance is true?

A.
The adaptive security appliance can inspect and learn the ephemeral port numbers that are
used by H.225 and H.245 on SAF-enabled H.323 trunks.

B.
An explicit ACL must be configured on the adaptive security appliance for SAF-enabled SIP
trunks.

C.
An explicit ACL must be configured on the adaptive security appliance for SAF-enabled H.323
trunks to account for ephemeral port numbers that are used by H.225 and H.245.

D.
The adaptive security appliance can inspect and learn the ephemeral port numbers that are
used by H.225 on SAF-enabled H.323 trunks, but H.245 ports must be explicitly defined.

E.
The adaptive security appliance provides full application inspection for SAF network services.

Explanation:
The Adaptive Security Appliances do not have application inspection for the SAF network service.
When Unified CM uses a SAF-enabled H.323 trunk to place a call, the ASA cannot inspect the
SAF packet to learn the ephemeral port number used in the H.225 signalling. Therefore, in
scenarios where call traffic from SAF-enabled H.323 trunks traverses the ASAs, ACLs must be
configured on the ASAs to allow this signaling traffic. The ACL configuration must account for all
the ports used by the H.225 and H.245 signaling.

Cisco Collaboration 9.x Solution Reference Network Designs (SRND) page 4-34



Leave a Reply 0

Your email address will not be published. Required fields are marked *