Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX firewall ACL question


how could i configure my pIX firewall to allow an outside device ( on the outside interface ) to access inside network( high security) based on the source MAC address of the outside device .

in other words is it possible to configure an ACL based on source MAC address , then associate this ACL to a static nat command and then apply the ACL to the outside interface by mean of acces group command.




Re: PIX firewall ACL question

Hi Jacob -

Firstly, which PIX IOS version have you got running. For what you are trying you'll need a 'Static Translation' and a ACL applied on your PIX outside interface to achive your objective, don't think you can do it with MAC address, will need IP address.

Hope this helps --

Community Member

Re: PIX firewall ACL question


Thanks for your speedy reply,

i am on release 6.3(1) , are you sure that could not be done with MAC address ? because the outside device i am trying to give it access into my internal network is a laptop connected to Internet by dial- up and through different ISPs( each time is assigned a different IP address) so i can' t rely on IP address in my case , the parameter that will remain the same is The MAC address,

Is there any solution or scenario to achieve that ?

Please advise




Re: PIX firewall ACL question

Hi Jacob --

OK, Not had much time to look at the new features of PIX IOS 6.3(1) yet, but what I did find is the following ( Ref: PIX v. MAC Address), this feature of tranlating MAC addresses on the document relates to VPN BUT it might be what you are after - have a read and let me know if it's any help to your problem.


Hope this helps -- Jay


Re: PIX firewall ACL question


If your device which you want to give access to your inside network is a laptop dialing and having a different IP address, the solution your looking for will not be looking into filtering based on MAC address. Reason for this is that you will never see the MAC address from the client, but the source MAC address of the incoming frame will always be the device which connects to your ISP (in most cases a router or cable modem). This router forwards the IP packet and encapsulates it into the Ethernetrame, using it's own MAC address as the source MAC address. So, it is simply not possible to filter on the MAC address of the laptop. Even if it would be possible to filter on MAC addresses on the PIX (which isn't by the way possible) this would not solve your case.

Better solution to think about would be using the Cisco VPN client and enabling DES on your PIX (3DES is also possible, but cost you money, while the DES license is free to use).

There are some good documents on CCO where you can find sample configs on how to configure this on your PIX. Please take a look at this URL:

Hope this helps.

Kind regards,



Re: PIX firewall ACL question

MAC addresses only get used within a layer 2 network - once a router is used between two different layer 2 networks, MAC addresses get replaced. For an example, type arp -a on a command prompt on a windows box - you pc will have ip to mac address table for the local subnet. All other hosts can only be accessed by the ip default gateway (assuming an ip only networking environment, similar parallels exist for ipx, etc), in which case ethernet frames for those external hosts will have the default gateway's mac address on them as the desination address. The default gateway will then strip the source and destination layer 2 addresses, and replace the source with its own L2 address, and the destination with that on the next known hop's L2 mac address. Thus L2 addresses (commonly mac addresses on ethernet topologies), don't get used end to end across the internet.

Configure a vpn for secure remote access from unknown locations.

CreatePlease to create content