Filter
Top Products
10-5
Cisco ASDM User Guide
OL-16647-01
Chapter 10 Configuring Security Contexts
Security Context Overview
Figure 10-2 shows multiple contexts sharing an outside interface without MAC addresses assigned. The
classifier assigns the packet to Context B because Context B includes the address translation that
matches the destination address.
Figure 10-2 Packet Classification with a Shared Interface using NAT
Note that all new incoming traffic must be classified, even from inside networks. Figure 10-3 shows a
host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context
B because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.
Note If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major
restrictions. The classifier relies on the address translation configuration to classify the packet within a
context, and you must translate the destination addresses of the traffic. Because you do not usually
perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not
always possible; the outside network is large, (the Web, for example), and addresses are not predictable
for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC
addresses.
Classifier
Context A Context B
GE 0/1.3GE 0/1.2
GE 0/0.1 (Shared Interface)
Admin
Context
GE 0/1.1
Host
10.1.1.13
Host
10.1.1.13
Host
10.1.1.13
Dest Addr Translation
209.165.201.3
Packet Destination:
209.165.201.3
10.1.1.13
Internet
Inside
Customer A
Inside
Customer B
Admin
Network
92399