We help IT Professionals succeed at work.

BLOCK A HOST FROM THE INSIDE

Manuel
Manuel asked
on
Medium Priority
216 Views
Last Modified: 2013-11-16
Hello,

Is there a way to block a host from the inside using only there MAC address on a PIX 501?

Thank You
Comment
Watch Question

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Only by IP address on PIX. By MAC on switches or on routers.
Does the switch that the PIX is connected to support acls? What kind of switch is it?

Author

Commented:
It is a 3500 XL Switch.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
No acls supported on 3500XL
Can you be more specific on what you are trying to do?
Do you have a misbehaving user that keeps changing their IP address?

Author

Commented:
I have a user which connects to the network using a wireless connection. They are assigned an IP address from Wireless DHCP router. I want to block this user from having access to the network. The DHCP address for the wireless users are changed everyday by the DHCP server.

 
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Try adjusting the lease time for DHCP on the router so that the IP's don't change every day.
Do these wireless users get an IP address on a different IP subnet than the users on the inside of the PIX? In other words  is this wireless router's WAN port or LAN port connected to your network? What kind of router is it? Are you trying to block this user from using the Internet though the PIX, or access the LAN from the Wireless net?
There's not a lot you can do with what you have.

Author

Commented:
The wireless users get an IP address from a different subnet then the inside of the PIX. However, the WAN port on the wireless router is on the same subnet as the inside of the PIX. Also, the wireless routers is running NAT.
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Then the wireless router is where you have to put the restrictions. All the PIX will ever see is the natted IP address and the MAC address of the router.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Commented:
I would suggest a Mac-IP address mapping to the user for the dhcp appliance. Have the appliance use a different subnet which will not allow the two nets to talk. then use a acl as suggested before for a bootstrap.

Author

Commented:
Thank you both for all your help.

vreyesii
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.