Re: ASA5500 series MAC address Access Rule Configuration

Tang-Suan Tan · ‎01-21-2014

Hi all:

I went through ASA documentation, there is "mac-list" configuration command to configure mac address access list.

Refer to the link:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html

under the topic of "Using MAC Addresses to Exempt Traffic from Authentication and Authorization".

This seems like the MAC Address configured is used for Authentication and Authorization exemption.

Actually, my main purpose is to configure MAC address access rule and apply to ASA 5500 series firewall. As such, I have questions below and need anybody know about MAC Address access rules on ASA 5500 series can help:

1. Can the above MAC Address command mac-list can be used to configure MAC Address list and apply in the firewall interface as same as IP address, like "access-group mac-list in interface outside"?

2. When the firewall in routed mode, Can the MAC Address access list and rule applying be used and how to configure to use?

3. If firewall only in transparent mode then can to do the MAC Address access list and rule applying, then how to do the configuration?

Many thanks!

Best regards,

tangsuan

lcambron · ‎01-23-2014

Hello,

The mac-list can only be used for AAA.

The ASA cannot block by mac address in router mode.

In transparent mode I think the only option is ethertype ACLs:

http://www.cisco.com/en/US/docs/security/asa/command-reference/a1.html#wp1598101

Regards,

Felipe.

Remember to rate useful posts.

Tang-Suan Tan · ‎01-24-2014

Hi Felipe:

Thanks to your reply!

I refer to the link you provided, for example, if I want to allow only MAC address of a host 00-10-18-18-c3-32 (MAC address is a 12 bits Hexadecimal) from Outside to Inside, can below two CLI work? Please advise.

(config)#access-list MAC1 ethertype permit 0x00101818c332 any

(config)#access-group MAC1 in interface Outside

Thanks!

Best regards,

tangsuan

lcambron · ‎01-24-2014

Hello,

Doing more research on this, seems like the ethertype ACL cannot be use to allow or deny traffic based on MAC address.

So I dont think this is possible on the ASA using either routed or transparent mode.

Regards,

Felipe.

Tang-Suan Tan · ‎01-26-2014

Hi Felipe and all:

Thanks to your reply!

Just think of one way to do the MAC address access control in Transparent firewall may be is by using ARP and ARP-INSPECTION.

By using these two commands to match IP to a MAC Address so that that IP can act on behalf of that particular MAC Address for the purpose of configuration of IP Address access rule.

Is it this is an alternative way of doing MAC Address access control? Anybody can advise or suggest any way? Thanks!

On the way of trying the Transparent Firewall, I found one question here and need some advise.

There is multiple BVI interfaces in different IP subnets can be set in the Transparent Firewall. The problem is Transparent Firewall always implements in one subnet. Then what is the purpose of doing multiple BVI in a Transparent Firewall, can anybody help to explain the purpose? Many thanks!

Best regards,

tangsuan

Tang-Suan Tan · ‎02-04-2014

Hi all:

Seems like no reply on my above discussion.

Could anybody please raise any point and any advice if you have on above discussion. Many thanks!

Best regards,

tangsuan