which security context to forward the incoming traffic from the outside interface?

The Cisco ASA is configured in multiple mode and the security contexts share the same outside
physical interface. Which two packet classification methods can be used by the Cisco ASA to
determine which security context to forward the incoming traffic from the outside interface?
(Choose two.)

The Cisco ASA is configured in multiple mode and the security contexts share the same outside
physical interface. Which two packet classification methods can be used by the Cisco ASA to
determine which security context to forward the incoming traffic from the outside interface?
(Choose two.)

A.
unique interface IP address

B.
unique interface MAC address

C.
routing table lookup

D.
MAC address table lookup

E.
unique global mapped IP addresses

Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html
Unique Interfaces
If only one context is associated with the ingress interface, the ASA classifies the packet into that
context. In transparent firewall mode, unique interfaces for contexts are required, so this method is
used to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The
ASA lets you assign a different MAC address in each context to the same shared interface,
whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do
not have unique MAC addresses; the interface uses the physical interface burned-in MAC address

in every context. An upstream router cannot route directly to a context without unique MAC
addresses. You can set the MAC addresses manually when you configure each interface (see the
“Configuring the MAC Address” section), or you can automatically generate MAC addresses (see
the “Automatically Assigning MAC Addresses to Context Interfaces” section).
NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a
destination IP address lookup. All other fields are ignored; only the destination IP address is used.
To use the destination address for classification, the classifier must have knowledge about the
subnets located behind each security context. The classifier relies on the NAT configuration to
determine the subnets in each context. The classifier matches the destination IP address to either
a static command or a global command. In the case of the global command, the classifier does not
need a matching nat command or an active NAT session to classify the packet. Whether the
packet can communicate with the destination IP address after classification depends on how you
configure NAT and NAT control.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0
when the context administrators configure static commands in each context:
•Context A:
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
•Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
•Context C:
static (inside,shared) 10.30.10.0 10.30.10.0 netmask 255.255.255.0

Show Hint

Leave a Reply 0

Your email address will not be published. Required fields are marked *