Cisco Catalyst 6500 Series Configuration Manual page 82

Security Context Overview
You cannot initiate connections from a shared interface when you use NAT exemption for the destination
Note
address. The classifier only looks at static statements where the global interface matches the source
interface of the packet. Because NAT exemption does not identify a global interface, the classifier does
not consider those NAT statements for classification purposes.
For example, if you send a packet from a host on an inside shared VLAN to www.cisco.com, the FWSM
does not know to which context to send the packet unless you statically translate the www.cisco.com
IP address in one of the contexts.
packet to the translated address, and the FWSM classifies the packet to go through Context C, which
includes a static translation for the address. The other server sends the packet to the real untranslated
address, and the packet is dropped because the FWSM cannot classify it. If you intend to statically
translate addresses for servers like www.cisco.com, then you also need to consider DNS entry addresses
and how NAT affects them. For example, if a server sends a packet to www.cisco.com, then the DNS
server needs to return the translated address. Managing DNS entries for translated addresses depends on
where the DNS server resides. See the
Figure 5-6
Admin
Context
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
5-8
Figure 5-6
Originating Traffic on a Shared VLAN
www.cisco.com
209.165.201.4
Internet
Context A
VLAN 300
VLAN 300
HTTP Packet
Dest. Address:
209.165.201.4
Syslog Server
shows two servers on a shared VLAN. One server sends the
"DNS and NAT" section on page 9-13
VLAN 200
Context B Context C
VLAN 300
Shared
Network
VLAN 300
HTTP Packet
Dest. Address:
10.1.2.27
AAA Server
Chapter 5 Managing Security Contexts
for more information.
HTTP Packet
Dest. Address:
209.165.201.4
Static Translation
10.1.2.27 209.165.201.4
OL-6392-01