https://community.cisco.com/t5/network-security/permit-traffic-to-inside-via-mac-address/m-p/1684143#M558299 <HTML><HEAD></HEAD><BODY><P>I was about 99.999% that was the case. But sometimes the gurus out there come up with a way i haven't thought of.&nbsp; I apprecaite your quick response!</P></BODY></HTML> Thu, 07 Apr 2011 20:08:18 GMT Scott Payne 2011-04-07T20:08:18Z https://community.cisco.com/t5/network-security/permit-traffic-to-inside-via-mac-address/m-p/1684141#M558288 <P>Hello everyone!</P><P>I have a handheld device that will be used for inventory outside of our office. It has 3g capabilities. Is there anyway I can permit traffic from this device from the outside world coming into my network?&nbsp; I need to open a couple of ports so it can hit the server. But I have no intention to open these ports up to the entire world.&nbsp; I use an ASA 5520 with a managed router from our provider. I looked around on the Cisco site and the only information I found was for permitting and denying traffic from devices that are within the network.</P> Mon, 11 Mar 2019 20:18:20 GMT https://community.cisco.com/t5/network-security/permit-traffic-to-inside-via-mac-address/m-p/1684141#M558288 Scott Payne 2019-03-11T20:18:20Z https://community.cisco.com/t5/network-security/permit-traffic-to-inside-via-mac-address/m-p/1684142#M558295 <HTML><HEAD></HEAD><BODY><P>Hi Scott,</P><P></P><P>It is not possible to do what you are trying to acheive, not because the ASA doesn't support it, but because the way a packet travels in a network.</P><P></P><P>Lets suppose you have the following topology:</P><P></P><P>A------------B(router1)C---------D(router2)E---------F</P><P></P><P>A is you mobile and F your server.</P><P></P><P>When A wants to communicate with F, the packet header goes as: IP(A),IP(F),MAC(A),MAC(B)</P><P>Then beyond router1: IP(A),IP(F),MAC(C),MAC(D)</P><P></P><P>MAC(A) is already lost, and cannot be used to regulate traffic on the next router.</P><P></P><P>Thus the ASA would see most of internet traffic with the source MAC of its next hop gateway.</P><P></P><P>So one option for you, if the hand held device can do remote access VPN: is to configure the ASA for remote access vpn, and then connect to the ASA in that fashion. So only those who know the username password etc, will be able to have access.</P><P>But then, if I am not mistaken, you would need to purchase certain licenses for the ASA to support that.</P><P></P><P>Alternately, you would have to open the ports to the internet, which as you have mentioned, would let it become accessible by anyone.</P><P>However, if you could configure a login mechanism for those services on the server, and per client tcp connection limits (of say 5) on the ASA, then you should be well guarded in my opinion.</P><P></P><P>Hope this helps.</P><P></P><P>-Shrikant</P><P></P><P>P.S.: Please mark the question resolved, if it has been answered. Do rate helpful posts. Thanks.</P></BODY></HTML> Thu, 07 Apr 2011 20:04:23 GMT https://community.cisco.com/t5/network-security/permit-traffic-to-inside-via-mac-address/m-p/1684142#M558295 Shrikant Sundaresh 2011-04-07T20:04:23Z https://community.cisco.com/t5/network-security/permit-traffic-to-inside-via-mac-address/m-p/1684143#M558299 <HTML><HEAD></HEAD><BODY><P>I was about 99.999% that was the case. But sometimes the gurus out there come up with a way i haven't thought of.&nbsp; I apprecaite your quick response!</P></BODY></HTML> Thu, 07 Apr 2011 20:08:18 GMT https://community.cisco.com/t5/network-security/permit-traffic-to-inside-via-mac-address/m-p/1684143#M558299 Scott Payne 2011-04-07T20:08:18Z