Hello,

Thanks for your speedy reply,

i am on release 6.3(1) , are you sure that could not be done with MAC address ? because the outside device i am trying to give it access into my internal network is a laptop connected to Internet by dial- up and through different ISPs( each time is assigned a different IP address) so i can' t rely on IP address in my case , the parameter that will remain the same is The MAC address,

Is there any solution or scenario to achieve that ?

Please advise

Thanks,

Jacob.

Hi Jacob --

OK, Not had much time to look at the new features of PIX IOS 6.3(1) yet, but what I did find is the following ( Ref: PIX v. MAC Address), this feature of tranlating MAC addresses on the document relates to VPN BUT it might be what you are after - have a read and let me know if it's any help to your problem.

>http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.pdf

Hope this helps -- Jay

Jacob,

If your device which you want to give access to your inside network is a laptop dialing and having a different IP address, the solution your looking for will not be looking into filtering based on MAC address. Reason for this is that you will never see the MAC address from the client, but the source MAC address of the incoming frame will always be the device which connects to your ISP (in most cases a router or cable modem). This router forwards the IP packet and encapsulates it into the Ethernetrame, using it's own MAC address as the source MAC address. So, it is simply not possible to filter on the MAC address of the laptop. Even if it would be possible to filter on MAC addresses on the PIX (which isn't by the way possible) this would not solve your case.

Better solution to think about would be using the Cisco VPN client and enabling DES on your PIX (3DES is also possible, but cost you money, while the DES license is free to use).

There are some good documents on CCO where you can find sample configs on how to configure this on your PIX. Please take a look at this URL:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Hope this helps.

Kind regards,

Leo

MAC addresses only get used within a layer 2 network - once a router is used between two different layer 2 networks, MAC addresses get replaced. For an example, type arp -a on a command prompt on a windows box - you pc will have ip to mac address table for the local subnet. All other hosts can only be accessed by the ip default gateway (assuming an ip only networking environment, similar parallels exist for ipx, etc), in which case ethernet frames for those external hosts will have the default gateway's mac address on them as the desination address. The default gateway will then strip the source and destination layer 2 addresses, and replace the source with its own L2 address, and the destination with that on the next known hop's L2 mac address. Thus L2 addresses (commonly mac addresses on ethernet topologies), don't get used end to end across the internet.

Configure a vpn for secure remote access from unknown locations.