We're looking at exposing a service to the public interface, but want to lock it down to only specified MAC addresses and/or IPs being allowed to access it. From what I understand from this thread - https://supportforums.cisco.com/discussion/11754091/how-filter-mac-address-asa-5510 - we cannot do that with solely an ASA 5505 acting as our router and firewall, which is the current setup.
1. Can I confirm that this is still the case? That thread was 3 years ago, but I suspect it's still valid given that if the ASA is in routing mode it's acting solely at L3 and therefore doesn't deal with MACs.
2. So if we added a separate router and put the firewall in transparent mode, this could be done, right?
3. Are there any other options to make this work?
I'm not sure about filtering MAC addresses but I believe that you can expose that service doing static NAT to the Public IP and then filter the access to it by putting an ACL in place (like "outside_access_in") and filter which networks you allow to reach that Public IP (assuming you have more than one public IP).
We don't know what networks we want to allow though; that's the problem. We want our staff from their phones and their laptops to be able to access this service from wherever they are in the world, without having to open up the VPN first. So their IPs could be anything.
ASA if configured in the Routed Mode would not be able to filter traffic using the MAC address.
At the same time , if we want to filter the traffic using the MAC address , it is best to be configured on the Layer 2 switch.
If you are thinking of putting a Layer 3 device in front of ASA device and then use ETHERTYPE ACL , that can also work.
Also , you need to keep this in mind that the MAC would change at every layer 3 Hop so it might not be a feasible solution.
Thanks and Regards,