cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
697
Views
5
Helpful
2
Replies

PIX-restricting inbound pkts to specific MAC address of internet router

rramasamy
Level 1
Level 1

How to configure the PIX to restrict - to only accecpt - packets from the ethernet of the router connected to internet on the outside interface.

2 Replies 2

tvanginneken
Level 4
Level 4

Hi,

You cann't filter traffic through the pix based on the MAC address of the packet.

If you like to allow inbound traffic (from the Internet to the inside) you wil have to configure two things:

- 'static' translations for the servers that are providing services

- an 'access-list' that specifies which inbound traffic is allowed. This access-list should be applied to the outside interface (with 'access-group' command)

Please have a look at this URL for more info:

http://www.cisco.com/warp/public/707/28.html

(don't use the outdated 'conduit' command shown in some of the examples, use access-lists instead)

Kind Regards,

Tom

Thanks Tom.

The idea is to verify the possiblity in the following scenario:

1.IDS-Intrusion Detection System - between the outside interface of the pix and the internet router, detecting an attack, then it (IDS) has the capability of sending a RST to both the outside host/hacker's system and to the inside system to which he gained access.

2.If the pix - by default - recognizes the - spoofed RST coming from a non-internet rtr's ethernet's MAC address, then the RST will only go to the outside host/hacker's system and will not reach the inside system to which he gained access!!

I hope my doubt/question is clearer now. Thanks again for reply.

Regards,

Ramesh.

Review Cisco Networking for a $25 gift card