Hi all!

I'm really puzzled about the packet-classification issue I ran into at this task. We use two contexts here on the ASA2, and for some other requirement we can't use different mac-addresses.

OK, so we have to use statics to let the ASA know how to classify packets - based on the destination IP-address.

I did this this already in an earlier task: I configured on ContextB the static for the address-range on the inside. Packets arriving on the shared-interface (outside) destined for the inside can then be classified:

 Code:
static (INSIDE,OUTSIDE) 204.12.1.0 204.12.1.0 netmask 255.255.255.0


So far so good, but this doesn't work for Task 5.4. When I test the connectivity from inside to outside (to test reachability of the webserver, which has to be proxy-authenticated), I get the following error:

 Code:
%ASA-3-305005: No translation group found for tcp src INSIDE:204.12.1.200/1353 dst OUTSIDE:163.1.19.200/80


The solution-guide suggests to configure this:

 Code:
static (OUTSIDE,INSIDE) 163.1.19.200 163.1.19.200 netmask 255.255.255.255


And indeed with above configuration it works. I just don't understand why!?

1) Why does the problem already occur when the packet coming from the inside hits the ASA? As this packet is arriving from the inside, which is the non-shared interface, there should be no need for classification?

2) According to the documentation on CCO, classification on the ASA uses the destination-address only. So when the packet comes back, I would expect a classification occurring. This classification would look at the destination-address of the packet (204.12.1.200) and then forward the packet to ContextB (because we have already the static covering this range). But it doesn't work that way.

Obviously I'm not understanding something here. Can somebody help please?

Thanks a lot,
airflow