I have two asa5520 configured in multiple context mode, the two context share both the inside and the outside interfaces.
I have configured in the system context the mac-address auto to assign a unique mac to each sub-interface.
When I try to send a packet from the inside interface I got the following error:
Drop-reason: (ifc-classify) Virtual firewall classification failed
If I try to send a packet from the outside toward a more secure interface all works well.
Both context has an static traslation for the inside network:
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
But the destination networks are different for each context:
src 192.168.0.1 dst 22.214.171.124/26
src 192.168.0.1 dst 126.96.36.199/27
The classifier Criteria should use first the unique macs, than the nat traslation performing a destination lookup, right?
Why the traffic from the shared inside is not classified?
for the classifier to work properly for when using shared inside interfaces, you will need to have a static NAT entry in place for the outside address to appear as a global address for the classifier to examine packets entering from the inside network o decide which context should receive a packet.
post your config...