Re: Context FW 'mac-address auto'

johnlloyd_13 · ‎02-24-2019

hi,

i'm going to configure a multiple context FW on a new ASA5525-X.

i saw previous setup with and without the 'mac-address auto' command under the system context.

my question is, is the command required or optional?

if not enabled, will this cause 'asymmetric' routing issue towards a specific context?

Mohammed al Baqari · ‎02-24-2019

It can work with and without this command.

By default, contexts sharing same interface will have the same mac address
for the interface in each context which is the mac of the physical
interface. When the packets forwarded from the upstream device to the
multi-context firewall, the firewall will use the destination IP address to
identify the right context because all contexts share the same destination
mac (For the shared interface). To get destination IP used, you need to
configure NAT rules for that destination address (unity NAT or identity
NAT). This method has other limitations.

With this command, each presence of the share interface per context will
have a uniquely generated MAC address started with A2.

In you don't share any interface between contexts then you don't have
problems and this command isn't needed. However, if you have shared
interfaces the best practice is to enable this command.

Sheraz.Salim · ‎02-24-2019

From version 9.3 this command is enable auto so you don’t have to config this.

If you using nat on the box it will use the nat sequence number to create a sessions

please do not forget to rate.