Introduction
As we know based on the access rules functionality on the firewall devices we can’t do filtering with mac address.
However as a workaround we can use aaa authentication with mac-exempt to accomplish the same.
Topology
Please refer the topology below I used for recreate
Client ------------------FW---------------------SERVER
Client IP---2.2.2.2
Client mac address--- 0200.4C4F.4F50
FW- outside interface--- 2.2.2.1
FW-Inside interface---172.16.10.1
Server's real IP---172.16.10.11
Server's mapped IP---2.2.2.11
Configuration
Following is the relevant NAT and access-list configuration for server:
static (inside,outside) 2.2.2.11 172.16.10.11
access-list outside-in extended permit tcp any host 2.2.2.11 eq www
access-list outside-in extended permit tcp any host 2.2.2.11 eq telnet
access-group outside-in in interface outside
Now, in order to do mac address based filtering with aaa authentication along with mac-exempt, you will need following commands:
access-list mac-filter permit tcp any host 2.2.2.11 eq 80
access-list mac-filter permit tcp any host 2.2.2.11 eq 23
username test2 password test2 privilege 15
mac-list bypass permit 0018.8ba7.d587 ffff.ffff.ffff
mac-list bypass permit 0018.8ba7.d598 ffff.ffff.ffff
aaa authentication match mac-filter outside LOCAL
aaa mac-exempt match bypass
aaa local authentication attempts max-fail 1
With above commands configured, the client would need to authenticate with the right username and password before it can access server on TCP 80 and 23. If the client is not able to provide the right username and password it can’t access the server.
Logs for succesful telnet session
%PIX-7-609001: Built local-host outside:2.2.2.2
%PIX-7-609001: Built local-host inside:172.16.10.11
%PIX-6-302013: Built inbound TCP connection 69 for outside:2.2.2.2/1874 (2.2.2.2/1874) to inside:172.16.10.11/23 (2.2.2.11/23)
%PIX-6-109001: Auth start for user '???' from 2.2.2.2/1874 to 172.16.10.11/23
%PIX-6-113012: AAA user authentication Successful : local database : user = test2
%PIX-6-113008: AAA transaction status ACCEPT : user = test2
%PIX-7-734003: DAP: User test2, Addr 2.2.2.2: Session Attribute aaa.cisco.username = test2
%PIX-6-734001: DAP: User test2, Addr 2.2.2.2, Connection Cut-Through-Proxy: The following DAP records were selected for this connection: DfltAccessPolicy
%PIX-2-109011: Authen Session Start: user 'test2', sid 7
%PIX-6-109005: Authentication succeeded for user 'test2' from 2.2.2.2/1874 to 172.16.10.11/23 on interface outside
%PIX-6-302014: Teardown TCP connection 69 for outside:2.2.2.2/1874 to inside:172.16.10.11/23 duration 0:00:14 bytes 275 TCP FINs (test2)
Logs for succesful http session
%PIX-7-609001: Built local-host outside:2.2.2.2
%PIX-7-609001: Built local-host inside:172.16.10.11
%PIX-6-302013: Built inbound TCP connection 54 for outside:2.2.2.2/1726 (2.2.2.2/1726) to inside:172.16.10.11/80 (2.2.2.11/80)
%PIX-6-109001: Auth start for user '???' from 2.2.2.2/1726 to 172.16.10.11/80
%PIX-6-113012: AAA user authentication Successful : local database : user = test2
%PIX-6-113008: AAA transaction status ACCEPT : user = test2
%PIX-7-734003: DAP: User test2, Addr 2.2.2.2: Session Attribute aaa.cisco.username = test2
%PIX-6-734001: DAP: User test2, Addr 2.2.2.2, Connection Cut-Through-Proxy: The following DAP records were selected for this connection: DfltAccessPolicy
%PIX-2-109011: Authen Session Start: user 'test2', sid 4
%PIX-6-109005: Authentication succeeded for user 'test2' from 2.2.2.2/1726 to 172.16.10.11/80 on interface outside
%PIX-6-302013: Built inbound TCP connection 58 for outside:2.2.2.2/1729 (2.2.2.2/1729) to inside:172.16.10.11/80 (2.2.2.11/80) (test2)
%PIX-6-106015: Deny TCP (no connection) from 2.2.2.2/1721 to 2.2.2.11/80 flags FIN ACK on interface outside
%PIX-6-302014: Teardown TCP connection 54 for outside:2.2.2.2/1726 to inside:172.16.10.11/80 duration 0:00:15 bytes 588 TCP FINs (test2)
Now, in the second scenario if we permit the actual mac address of the client in the mac-list, then no authentication will be done
mac-list bypass permit 0200.4c4f.4f50 ffff.ffff.ffff
no mac-list bypass permit 0018.8ba7.d587 ffff.ffff.ffff
no mac-list bypass permit 0018.8ba7.d598 ffff.ffff.ffff
Logs for http session
%PIX-5-111008: User 'enable_15' executed the 'logging on' command.
%PIX-7-710005: UDP request discarded from 2.2.2.2/138 to outside:2.2.2.255/138
%PIX-7-609001: Built local-host outside:2.2.2.2
%PIX-7-609001: Built local-host inside:172.16.10.11
%PIX-6-302013: Built inbound TCP connection 61 for outside:2.2.2.2/1775 (2.2.2.2/1775) to inside:172.16.10.11/80 (2.2.2.11/80)
%PIX-6-302013: Built inbound TCP connection 62 for outside:2.2.2.2/1777 (2.2.2.2/1777) to inside:172.16.10.11/80 (2.2.2.11/80) (0200.4c4f.4f50)
%PIX-6-302014: Teardown TCP connection 61 for outside:2.2.2.2/1775 to inside:172.16.10.11/80 duration 0:00:08 bytes 549 TCP FINs (0200.4c4f.4f50)
%PIX-6-302014: Teardown TCP connection 62 for outside:2.2.2.2/1777 to inside:172.16.10.11/80 duration 0:00:00 bytes 2412 TCP FINs (0200.4c4f.4f50)
%PIX-7-609002: Teardown local-host inside:172.16.10.11 duration 0:00:08
HTH.
-
Sourav Kakkar