Re: PIX-restricting inbound pkts to specific MAC address of inte

rramasamy · ‎01-06-2003

How to configure the PIX to restrict - to only accecpt - packets from the ethernet of the router connected to internet on the outside interface.

tvanginneken · ‎01-06-2003

Hi,

You cann't filter traffic through the pix based on the MAC address of the packet.

If you like to allow inbound traffic (from the Internet to the inside) you wil have to configure two things:

- 'static' translations for the servers that are providing services

- an 'access-list' that specifies which inbound traffic is allowed. This access-list should be applied to the outside interface (with 'access-group' command)

Please have a look at this URL for more info:

http://www.cisco.com/warp/public/707/28.html

(don't use the outdated 'conduit' command shown in some of the examples, use access-lists instead)

Kind Regards,

Tom

rramasamy · ‎01-07-2003

Thanks Tom.

The idea is to verify the possiblity in the following scenario:

1.IDS-Intrusion Detection System - between the outside interface of the pix and the internet router, detecting an attack, then it (IDS) has the capability of sending a RST to both the outside host/hacker's system and to the inside system to which he gained access.

2.If the pix - by default - recognizes the - spoofed RST coming from a non-internet rtr's ethernet's MAC address, then the RST will only go to the outside host/hacker's system and will not reach the inside system to which he gained access!!

I hope my doubt/question is clearer now. Thanks again for reply.

Regards,

Ramesh.

PIX-restricting inbound pkts to specific MAC address of internet router