https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396362#M271073 <P>Hi all:</P><P></P><P>I went through ASA documentation, there is "mac-list" configuration command to configure mac address access list.</P><P></P><P>Refer to the link:</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html" rel="nofollow" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html</A></P><P></P><P>under the topic of "Using MAC Addresses to Exempt Traffic from Authentication and Authorization".</P><P></P><P>This seems like the MAC Address configured is used for Authentication and Authorization exemption.</P><P></P><P>Actually, my main purpose is to configure MAC address access rule and apply to ASA 5500 series firewall. As such, I have questions below and need anybody know about MAC Address access rules on ASA 5500 series can help:</P><P></P><P>1. Can the above MAC Address command&nbsp; <EM>mac-list </EM>can be used to configure MAC Address list and apply in the firewall interface as same as IP address, like "access-group <EM>mac-list </EM>in interface outside"?</P><P></P><P>2. When the firewall in routed mode, Can the MAC Address access list and rule applying be used and how to configure to use?</P><P></P><P>3. If firewall only in transparent mode then can to do the MAC Address access list and rule applying, then how to do the configuration?</P><P></P><P>Many thanks!</P><P></P><P>Best regards,</P><P>tangsuan</P> Tue, 12 Mar 2019 03:34:07 GMT Tang-Suan Tan 2019-03-12T03:34:07Z https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396362#M271073 <P>Hi all:</P><P></P><P>I went through ASA documentation, there is "mac-list" configuration command to configure mac address access list.</P><P></P><P>Refer to the link:</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html" rel="nofollow" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html</A></P><P></P><P>under the topic of "Using MAC Addresses to Exempt Traffic from Authentication and Authorization".</P><P></P><P>This seems like the MAC Address configured is used for Authentication and Authorization exemption.</P><P></P><P>Actually, my main purpose is to configure MAC address access rule and apply to ASA 5500 series firewall. As such, I have questions below and need anybody know about MAC Address access rules on ASA 5500 series can help:</P><P></P><P>1. Can the above MAC Address command&nbsp; <EM>mac-list </EM>can be used to configure MAC Address list and apply in the firewall interface as same as IP address, like "access-group <EM>mac-list </EM>in interface outside"?</P><P></P><P>2. When the firewall in routed mode, Can the MAC Address access list and rule applying be used and how to configure to use?</P><P></P><P>3. If firewall only in transparent mode then can to do the MAC Address access list and rule applying, then how to do the configuration?</P><P></P><P>Many thanks!</P><P></P><P>Best regards,</P><P>tangsuan</P> Tue, 12 Mar 2019 03:34:07 GMT https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396362#M271073 Tang-Suan Tan 2019-03-12T03:34:07Z https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396363#M271079 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The mac-list can only be used for AAA.</P><P>The ASA cannot block by mac address in router mode.</P><P>In transparent mode I think the only option is ethertype ACLs:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/command-reference/a1.html#wp1598101">http://www.cisco.com/en/US/docs/security/asa/command-reference/a1.html#wp1598101</A></P><P></P><P>Regards,</P><P></P><P>Felipe.</P><P></P><P></P><P> Remember to rate useful posts. </P></BODY></HTML> Fri, 24 Jan 2014 00:48:23 GMT https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396363#M271079 lcambron 2014-01-24T00:48:23Z https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396364#M271084 <HTML><HEAD></HEAD><BODY><P>Hi Felipe:</P><P></P><P>Thanks to your reply!</P><P></P><P>I refer to the link you provided, for example, if I want to allow only MAC address of a host 00-10-18-18-c3-32 (MAC address is a 12 bits Hexadecimal) from Outside to Inside, can below two CLI work? Please advise.</P><P></P><P>(config)#access-list MAC1 ethertype permit 0x00101818c332 any</P><P>(config)#access-group MAC1 in interface Outside </P><P></P><P>Thanks!</P><P></P><P>Best regards,</P><P></P><P>tangsuan</P></BODY></HTML> Fri, 24 Jan 2014 08:59:57 GMT https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396364#M271084 Tang-Suan Tan 2014-01-24T08:59:57Z https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396365#M271092 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Doing more research on this, seems like the ethertype ACL cannot be use to allow or deny traffic based on MAC address.</P><P>So I dont think this is possible on the ASA using either routed or transparent mode. </P><P></P><P>Regards,</P><P></P><P>Felipe. </P></BODY></HTML> Fri, 24 Jan 2014 14:05:10 GMT https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396365#M271092 lcambron 2014-01-24T14:05:10Z https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396366#M271097 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 12pt;">Hi Felipe and all:</SPAN></P><P></P><P><SPAN style="font-size: 12pt;"><STRONG>Thanks to your reply!</STRONG></SPAN></P><P></P><P><SPAN style="font-size: 12pt;"><EM><STRONG>Just think of one way to do the MAC address access control in Transparent firewall may be is by using ARP and ARP-INSPECTION. </STRONG></EM></SPAN></P><P><SPAN style="font-size: 12pt;"><EM><STRONG>By using these two commands to match IP to a MAC Address so that that IP can act on behalf of that particular MAC Address for the purpose of configuration of IP Address access rule.</STRONG></EM></SPAN></P><P></P><P><SPAN style="font-size: 12pt;"><EM><STRONG>Is it this is an alternative way of doing MAC Address access control? Anybody can advise or suggest any way? Thanks!</STRONG></EM></SPAN></P><P></P><P><SPAN style="font-size: 12pt;"><EM><STRONG>On the way of trying the Transparent Firewall, I found one question here and need some advise.</STRONG></EM></SPAN></P><P><SPAN style="font-size: 12pt;"><EM> </EM></SPAN></P><P><SPAN style="font-size: 12pt;"><EM><STRONG>There is multiple BVI interfaces in different IP subnets can be set in the Transparent Firewall. The problem is Transparent Firewall always implements in one subnet. Then what is the purpose of doing multiple BVI in a Transparent Firewall, can anybody help to explain the purpose? Many thanks!</STRONG></EM></SPAN></P><P></P><P><SPAN style="font-size: 12pt;">Best regards,</SPAN></P><P><SPAN style="font-size: 12pt;"> </SPAN></P><P><SPAN style="font-size: 12pt;">tangsuan</SPAN></P></BODY></HTML> Sun, 26 Jan 2014 13:57:50 GMT https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396366#M271097 Tang-Suan Tan 2014-01-26T13:57:50Z https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396367#M271102 <HTML><HEAD></HEAD><BODY><P>Hi all:</P><P></P><P>Seems like no reply on my above discussion.</P><P></P><P>Could anybody please raise any point and any advice if you have on above discussion. Many thanks!</P><P></P><P>Best regards,</P><P>tangsuan </P></BODY></HTML> Wed, 05 Feb 2014 04:50:42 GMT https://community.cisco.com/t5/network-security/asa5500-series-mac-address-access-rule-configuration/m-p/2396367#M271102 Tang-Suan Tan 2014-02-05T04:50:42Z