cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Mac address based filtering on ASA PIX

2667
Views
0
Helpful
0
Comments

 

Introduction

As we know based on the access rules functionality on the firewall devices we can’t do filtering with mac address.

 

However as a workaround we can use aaa authentication with mac-exempt to accomplish the same.

 

Topology

Please refer the topology below  I used for recreate

 

Client ------------------FW---------------------SERVER

 

Client IP---2.2.2.2

 

Client mac address--- 0200.4C4F.4F50

 

FW- outside interface--- 2.2.2.1

 

FW-Inside interface---172.16.10.1

 

Server's real IP---172.16.10.11

Server's mapped IP---2.2.2.11

Configuration

 

Following is the relevant NAT and access-list configuration for server:

 

static (inside,outside) 2.2.2.11 172.16.10.11

 

access-list outside-in extended permit tcp any host 2.2.2.11 eq www

 

access-list outside-in extended permit tcp any host 2.2.2.11 eq telnet

 

access-group outside-in in interface outside

 

 

Now, in order to do mac address based filtering with aaa authentication along with mac-exempt, you will need following commands:

 

access-list mac-filter permit tcp any host 2.2.2.11 eq 80

 

access-list mac-filter permit tcp any host 2.2.2.11 eq 23

 

username test2 password test2 privilege 15

 

mac-list bypass permit 0018.8ba7.d587 ffff.ffff.ffff

 

mac-list bypass permit 0018.8ba7.d598 ffff.ffff.ffff

 

 

aaa authentication match mac-filter outside LOCAL

 

aaa mac-exempt match bypass

 

aaa local authentication attempts max-fail 1

 

With above commands configured, the client would need to authenticate with the right username and password before it can access server on TCP 80 and 23. If the client is not able to provide the right username and password it can’t access the server.

 

Logs for succesful telnet session

 

 

%PIX-7-609001: Built local-host outside:2.2.2.2

 

%PIX-7-609001: Built local-host inside:172.16.10.11

 

%PIX-6-302013: Built inbound TCP connection 69 for outside:2.2.2.2/1874 (2.2.2.2/1874) to inside:172.16.10.11/23 (2.2.2.11/23)

 

%PIX-6-109001: Auth start for user '???' from 2.2.2.2/1874 to 172.16.10.11/23

  

%PIX-6-113012: AAA user authentication Successful : local database : user = test2

 

%PIX-6-113008: AAA transaction status ACCEPT : user = test2

 

%PIX-7-734003: DAP: User test2, Addr 2.2.2.2: Session Attribute aaa.cisco.username = test2

 

%PIX-6-734001: DAP: User test2, Addr 2.2.2.2, Connection Cut-Through-Proxy: The following DAP records were selected for this connection: DfltAccessPolicy

 

%PIX-2-109011: Authen Session Start: user 'test2', sid 7

 

%PIX-6-109005: Authentication succeeded for user 'test2' from 2.2.2.2/1874 to 172.16.10.11/23 on interface outside

 

%PIX-6-302014: Teardown TCP connection 69 for outside:2.2.2.2/1874 to inside:172.16.10.11/23 duration 0:00:14 bytes 275 TCP FINs (test2)

 

 

Logs for succesful http session

 

 

%PIX-7-609001: Built local-host outside:2.2.2.2

 

%PIX-7-609001: Built local-host inside:172.16.10.11

 

%PIX-6-302013: Built inbound TCP connection 54 for outside:2.2.2.2/1726 (2.2.2.2/1726) to inside:172.16.10.11/80 (2.2.2.11/80)

 

%PIX-6-109001: Auth start for user '???' from 2.2.2.2/1726 to 172.16.10.11/80

 

 

%PIX-6-113012: AAA user authentication Successful : local database : user = test2

 

%PIX-6-113008: AAA transaction status ACCEPT : user = test2

 

%PIX-7-734003: DAP: User test2, Addr 2.2.2.2: Session Attribute aaa.cisco.username = test2

 

%PIX-6-734001: DAP: User test2, Addr 2.2.2.2, Connection Cut-Through-Proxy: The following DAP records were selected for this connection: DfltAccessPolicy

 

%PIX-2-109011: Authen Session Start: user 'test2', sid 4

 

%PIX-6-109005: Authentication succeeded for user 'test2' from 2.2.2.2/1726 to 172.16.10.11/80 on interface outside

 

 

%PIX-6-302013: Built inbound TCP connection 58 for outside:2.2.2.2/1729 (2.2.2.2/1729) to inside:172.16.10.11/80 (2.2.2.11/80) (test2)

 

%PIX-6-106015: Deny TCP (no connection) from 2.2.2.2/1721 to 2.2.2.11/80 flags FIN ACK  on interface outside

 

%PIX-6-302014: Teardown TCP connection 54 for outside:2.2.2.2/1726 to inside:172.16.10.11/80 duration 0:00:15 bytes 588 TCP FINs (test2)

  

Now, in the second scenario if we permit the actual mac address of the client in the mac-list, then no authentication will be done

  

mac-list bypass permit 0200.4c4f.4f50 ffff.ffff.ffff

 

no mac-list bypass permit 0018.8ba7.d587 ffff.ffff.ffff

 

no mac-list bypass permit 0018.8ba7.d598 ffff.ffff.ffff

 

 

Logs for http session

 

 

%PIX-5-111008: User 'enable_15' executed the 'logging on' command.

 

%PIX-7-710005: UDP request discarded from 2.2.2.2/138 to outside:2.2.2.255/138

 

%PIX-7-609001: Built local-host outside:2.2.2.2

 

%PIX-7-609001: Built local-host inside:172.16.10.11

 

%PIX-6-302013: Built inbound TCP connection 61 for outside:2.2.2.2/1775 (2.2.2.2/1775) to inside:172.16.10.11/80 (2.2.2.11/80)

 

 

%PIX-6-302013: Built inbound TCP connection 62 for outside:2.2.2.2/1777 (2.2.2.2/1777) to inside:172.16.10.11/80 (2.2.2.11/80) (0200.4c4f.4f50)

 

%PIX-6-302014: Teardown TCP connection 61 for outside:2.2.2.2/1775 to inside:172.16.10.11/80 duration 0:00:08 bytes 549 TCP FINs (0200.4c4f.4f50)

 

%PIX-6-302014: Teardown TCP connection 62 for outside:2.2.2.2/1777 to inside:172.16.10.11/80 duration 0:00:00 bytes 2412 TCP FINs (0200.4c4f.4f50)

 

%PIX-7-609002: Teardown local-host inside:172.16.10.11 duration 0:00:08

 

HTH.

 

-

Sourav Kakkar