Actually, this can be achieved easily using reflexive ACLs on any Cisco router, so no real need to change the topology or add new devices in the path: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl
Arie On Sat, Nov 28, 2009 at 10:26 PM, Duane Waddle <[email protected]>wrote: > On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns <[email protected]> wrote: > > > My partner Tammy says a PIX could probably accomplish the same task (we > have some here for the corp lan stuff, including spares). > > Yes, a PIX/ASA would stop this cold. The TCP state tracking would not > allow traffic to pass unless the whole 3-way handshake was observed by > the box. Only recently did Cisco add features to make tracking the > TCP connection state optional. > ( > http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf > ) > The larger ASA-5580 machines can be virtualized into dozens (or more) > security contexts as needed. I imagine it would take some effort to > figure out how to cleanly integrate such a configuration into a POP. > > --D > >
