The Security Appliance allows interfaces to be shared between contexts. This is allowed only
with adherence to the following guidelines:
■ The Security Appliance must be in routed mode.
■ The shared interface must have either a unique IP address for each context or a unique
VLAN for each context that will be using it.
After you have decided to enable shared interfaces on a Security Appliance, you must
consider several issues. To allow traffic through shared interfaces, Network Address
translation (NAT) must be enabled on that interface. The classifier used by the Security
Appliance requires an address translation configuration that classifies the packet within a
context. Using NAT translation commands, the destination address of the traffic must be
translated to comply with this restriction. This can also be achieved through the use of the
global command if NAT translation is not performed.
A restriction arises when considering where traffic flows will originate from the shared
interfaces on the Security Appliance. When dynamic NAT is used for the destination
addresses, a connection through those addresses cannot be initiated. This restricts the
interfaces in such a way that they can only respond to existing connections, and a new
connection can never be initiated. To get around this issue, static NAT must be used for the
destination addresses, allowing the interface to initiate as well as to respond to connections.
Configuring an inside shared interface might pose another potential problem when using
shared interfaces and NAT. This problem arises when communication between a shared
interface and an external network, such as the Internet, is desired and the destination
addresses are unlimited. The Security Appliance requires Static NAT translation to support
this configuration, which will limit the kind of Internet access that can be provided to users
on the inside shared interface. As previously stated, many issues must be considered before
configuring shared interfaces, especially when NAT is also deployed on the Security
Appliance. Take time to work out the design so that these issues do not hinder your network’s
stability.