which security context to forward the incoming traffic …

The Cisco ASA is configured in multiple mode and the security contexts share the same outside physical interface. Which two packet classification methods can be
used by the Cisco ASA to determine which security context to forward the incoming traffic from the outside interface? (Choose two.)

The Cisco ASA is configured in multiple mode and the security contexts share the same outside physical interface. Which two packet classification methods can be
used by the Cisco ASA to determine which security context to forward the incoming traffic from the outside interface? (Choose two.)

A.
unique interface IP address

B.
unique interface MAC address

C.
routing table lookup

D.
MAC address table lookup

E.
unique global mapped IP addresses

Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html
Unique Interfaces
If only one context is associated with the ingress interface, the ASA classifies the packet into that context. In transparent firewall mode, unique interfaces for
contexts are required, so this method is used to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The ASA lets you assign a different MAC address in each context to the
same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the
interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses.
You can set the MAC addresses manually when you configure each interface (see the “Configuring the MAC Address” section), or you can automatically generate
MAC addresses (see the “Automatically Assigning MAC Addresses to Context Interfaces” section).
NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup. All other fields are ignored; only
the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each
security context. The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either
a static command or a global command. In the case of the global command, the classifier does not need a matching nat command or an active NAT session to
classify the packet. Whether the packet can communicate with the destination IP address after classification depends on how you configure NAT and NAT control.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when the context administrators configure static commands in
each context:
·Context A:
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
·Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
·Context C:

static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0



Leave a Reply 0

Your email address will not be published. Required fields are marked *