5-8
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 5 Managing Security Contexts
Security Context Overview
Note You cannot initiate connections from a shared interface when you use NAT exemption for the destination
address. The classifier only looks at static statements where the global interface matches the source
interface of the packet. Because NAT exemption does not identify a global interface, the classifier does
not consider those NAT statements for classification purposes.
For example, if you send a packet from a host on an inside shared VLAN to www.cisco.com, the FWSM
does not know to which context to send the packet unless you statically translate the www.cisco.com
IP address in one of the contexts. Figure 5-6 shows two servers on a shared VLAN. One server sends the
packet to the translated address, and the FWSM classifies the packet to go through Context C, which
includes a static translation for the address. The other server sends the packet to the real untranslated
address, and the packet is dropped because the FWSM cannot classify it. If you intend to statically
translate addresses for servers like www.cisco.com, then you also need to consider DNS entry addresses
and how NAT affects them. For example, if a server sends a packet to www.cisco.com, then the DNS
server needs to return the translated address. Managing DNS entries for translated addresses depends on
where the DNS server resides. See the “DNS and NAT” section on page 9-13 for more information.
Figure 5-6 Originating Traffic on a Shared VLAN
Shared
Network
Admin
Context
Context A Context B
VLAN 300 VLAN 300
VLAN 300
VLAN 300
Syslog Server AAA Server
VLAN 200
www.cisco.com
209.165.201.4
Context C
Internet
Static Translation
209.165.201.410.1.2.27
HTTP Packet
Dest. Address:
209.165.201.4
HTTP Packet
Dest. Address:
10.1.2.27
HTTP Packet
Dest. Address:
209.165.201.4
104690
To Next Page
Loading...
Need help?
General