Solved: MM, mac filtering and pix 515

jbogdan · ‎03-31-2003

I have an application called MeetingMaker located behind my pix 515 that is used offsite by 5 users. Since they access this program over the internet, and the users may have dynamic addresses, it it possible to filter these by mac address somehow to allow access through the firewall to the app? Thank you.

shannong · ‎03-31-2003

MAC addresses do not traverse Layer 3 boundaries. In otherwords, your clients MAC address cannot be seen or known once the traffic crosses the default router for that subnet. So the answer to your question is "no".

You can use AAA to handle this. How do your clients connect to the server? (port/application)? If its HTTP/S, the Pix can verify that username/password before allowing access. If it's some over application/port, you can still use authentication by forcing them to connect to the web server on there first. This will cause the Pix to authenticate using the browser challenge, and the Pix can be configured to allow all other connections from authentiated hosts.

View solution in original post

shannong · ‎03-31-2003

MAC addresses do not traverse Layer 3 boundaries. In otherwords, your clients MAC address cannot be seen or known once the traffic crosses the default router for that subnet. So the answer to your question is "no".

You can use AAA to handle this. How do your clients connect to the server? (port/application)? If its HTTP/S, the Pix can verify that username/password before allowing access. If it's some over application/port, you can still use authentication by forcing them to connect to the web server on there first. This will cause the Pix to authenticate using the browser challenge, and the Pix can be configured to allow all other connections from authentiated hosts.

jbogdan · ‎03-31-2003

Outstanding! Thank you very much.