Passing internal MAC addresses through a PIX firewall?

davidwitteveen · ‎05-06-2008

Is it possible to pass a device's MAC address through a Cisco PIX firewall?

Here's my situation: We've just had new security camera digital video recorders installed. The DVRs are on our internal network, behind the firewall.

Campus Security (outside the firewall) need to access these DVRs.

I've set up a static IP mapping on the PIX, and ACLs. But apparently the CCTV software also needs to see the MAC address of the DVRs to identify them. As things stand, the software is only getting the MAC address of the firewall.

I've Googled and read the Cisco site, but haven't found anything that says this can be done.

Is it possible for the PIX to pass and internal device's MAC address to outside hosts?

It's a Cisco PIX 515E, running software version 7.2

Thanks.

Jon Marshall · ‎05-07-2008

David

You would need to run your pix in transparent mode ie. the pix acts as a layer bridge between 2 vlans but you can still filter the traffic. Obviously this would have a huge knock on effect if you are currently running in routed mode but that is the only way i know of achieving what you want.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwmode.html#wp1201980

As a further point. Your pix device should support contexts so you may be able to use a separate context for the transparent firewall. I have only used contexts on the FWSM v2.x code and you couldn't mix routed/transparent contexts on the same device but i believe that restriction was removed with v3.x software on FWSM which is equivalent to v7.x code on pix.

Jon