Security Context Overview
The FWSM does not support sharing the outside interface of one context with the inside interface of
Note
another context (known as cascading contexts). Traffic that is outbound from one context (from a higher
to a lower security interface) can only enter another context as inbound traffic (lower to higher security);
it cannot be outbound for both contexts, or inbound for both contexts.
This section includes the following topics:
•
•
•
NAT and Origination of Traffic
The type of NAT configured determines whether the traffic can originate on the shared interface or if it
can only respond to an existing connection. When you use dynamic NAT, you cannot initiate a
connection to the real addresses. Therefore, traffic from the shared interface must be in response to an
existing connection. Static NAT, however, lets you initiate connections, so you can initiate connections
on the shared interface.
Sharing an Outside Interface
When you have an outside shared interface (connected to the Internet, for example), the destination
addresses on the inside are limited, and are known by the system administrator, so configuring NAT for
those addresses is easy, even if you want to configure static NAT.
Sharing an Inside Interface
Configuring an inside shared interface poses a problem, however, if you want to allow communication
between the shared interface and the Internet, where the destination addresses are unlimited. For
example, if you want to allow inside hosts on the shared interface to initiate traffic to the Internet, then
you need to configure static NAT statements for each Internet address. This requirement necessarily
limits the kind of Internet access you can provide for users on an inside shared interface. (If you intend
to statically translate addresses for Internet servers, then you also need to consider DNS entry addresses
and how NAT affects them. For example, if a server sends a packet to www.example.com, then the DNS
server needs to return the translated address. Your NAT configuration determines DNS entry
management.)
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
4-8
NAT and Origination of Traffic, page 4-8
Sharing an Outside Interface, page 4-8
Sharing an Inside Interface, page 4-8
Chapter 4
Configuring Security Contexts
OL-20748-01