Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX-restricting inbound pkts to specific MAC address of internet router

How to configure the PIX to restrict - to only accecpt - packets from the ethernet of the router connected to internet on the outside interface.

2 REPLIES

Re: PIX-restricting inbound pkts to specific MAC address of inte

Hi,

You cann't filter traffic through the pix based on the MAC address of the packet.

If you like to allow inbound traffic (from the Internet to the inside) you wil have to configure two things:

- 'static' translations for the servers that are providing services

- an 'access-list' that specifies which inbound traffic is allowed. This access-list should be applied to the outside interface (with 'access-group' command)

Please have a look at this URL for more info:

http://www.cisco.com/warp/public/707/28.html

(don't use the outdated 'conduit' command shown in some of the examples, use access-lists instead)

Kind Regards,

Tom

New Member

Re: PIX-restricting inbound pkts to specific MAC address of inte

Thanks Tom.

The idea is to verify the possiblity in the following scenario:

1.IDS-Intrusion Detection System - between the outside interface of the pix and the internet router, detecting an attack, then it (IDS) has the capability of sending a RST to both the outside host/hacker's system and to the inside system to which he gained access.

2.If the pix - by default - recognizes the - spoofed RST coming from a non-internet rtr's ethernet's MAC address, then the RST will only go to the outside host/hacker's system and will not reach the inside system to which he gained access!!

I hope my doubt/question is clearer now. Thanks again for reply.

Regards,

Ramesh.

85
Views
5
Helpful
2
Replies