Cisco PIX 500 Series Configuration Manual page 68

Security Context Overview
Figure 3-2
classifier assigns the packet to Context B because Context B includes the address translation that
matches the destination address.
Figure 3-2
Admin
Context
Network
10.1.1.13
Note that all new incoming traffic must be classified, even from inside networks.
on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B
because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.
If you share an inside interface and do not use unique MAC addresses, the classifier imposes some major
Note
restrictions. The classifier relies on the address translation configuration to classify the packet within a
context, and you must translate the destination addresses of the traffic. Because you do not usually
perform NAT on outside addresses, sending packets from inside to outside on a shared interface is not
always possible; the outside network is large, (the Web, for example), and addresses are not predictable
for an outside NAT configuration. If you share an inside interface, we suggest you use unique MAC
addresses.
Cisco Security Appliance Command Line Configuration Guide
3-6
shows multiple contexts sharing an outside interface without MAC addresses assigned. The
Packet Classification with a Shared Interface using NAT
Internet
Packet Destination:
209.165.201.3
GE 0/0.1 (Shared Interface)
Classifier
Context A
GE 0/1.1 GE 0/1.2
Admin Inside
Customer A
Host Host
10.1.1.13
Context B
Dest Addr Translation
209.165.201.3
GE 0/1.3
Inside
Customer B
Host
10.1.1.13
Chapter 3 Enabling Multiple Context Mode
10.1.1.13
Figure 3-3 shows a host
OL-12172-03