personally, I wouldn't change my infrastructure just because one feature doesn't work as expected. Better look for the couse of the problem. After changing the MAC-addresses on the ASA, have you tried to clear the arp-cache on the router?
Having had a look, my configuration doesnt differ much from what was suggested anyway.
Yes i have cleared the arp cache on the router after changing the mac-addresses.
so from the standpoint of the adjacent router it looks fine with the different MAC-addresses. Please explain what you mean with "locked out of the admin context". What exactly desn't work?
Thanks for the replies.
I cannot connect on ASDM, SSH or telnet to the .194 address. Nor can i ping etc. So i cant manage the ASA when mac-address auto is applied. (I schedule a reload before i apply this).
So even though the router is showing a different mac-address in it's arp table, the ASA wont accept connections on the admin context and that IP address. I cant thknk of anything in the ASA that i've configured that would block/filter on L2.
Anything on the Switch between the ASA and the Router?
Theres no switch between the router and the firewall. If i explain the topology a bit more that might help.
Internet > Cisco 1921 > ASA 5520 > Dell Blade, Poweredge Switch M6348.
The switch has 2 vlans, one for 192.168.20.0/24 network. The other is the DMZ, 184.108.40.206/29
The ASA has 2 contexts, admin, interface Gi0/0 220.127.116.11/29
ctx1 interface Gi0/0 18.104.22.168/28 - nameif outside
Interface G0/1 10.10.10.1/25 - nameif CMC (Management for blades)
Interface Gi0/2 192.168.20.254/24 nameif inside
Interface Gi0/2.1 22.214.171.124/29 nameif DMZ
I was primarily using NAT to reach various servers/management interfaces on the inside an CMC interfaces. Which worked fine, however we needed a publicly addressable space to run a SIP server and possibly some more things to come. Which is where the DMZ came from. However as the admin context and ctx1 share interface Gi0/0 and i need to route part of the public subnet to the DMZ i found i needed to turn on mac-address auto in the system context. This allows the NAT and the DMZ to work, however i cant access the admin context, The arp-cache updates immediately on the router so it sees the change but i just wonder if its something on the ASA that cannot accept traffic on that Mac-address?
Sorry for the long winded explanation, i hope this makes sense.