Invalid Classifier Criteria - Cisco PIX 500 Series Configuration Manual

Security Context Overview
a global command. In the case of the global command, the classifier does not need a matching nat
command or an active NAT session to classify the packet. Whether the packet can communicate with the
destination IP address after classification depends on how you configure NAT and NAT control.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when
the context administrators configure static commands in each context:
•
•
•
Note For management traffic destined for an interface, the interface IP address is used for classification.

Invalid Classifier Criteria

The following configurations are not used for packet classification:
•
•
Cisco Security Appliance Command Line Configuration Guide
3-4
Context A:
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
Context C:
static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0
NAT exemption—The classifier does not use a NAT exemption configuration for classification
purposes because NAT exemption does not identify a mapped interface.
Routing table—If a context includes a static route that points to an external router as the next-hop
to a subnet, and a different context includes a static command for the same subnet, then the classifier
uses the static command to classify packets destined for that subnet and ignores the static route.
Chapter 3 Enabling Multiple Context Mode
OL-12172-03