Tuesday, October 25, 2011

How to BLOCK out going traffic by MAC-Address filter in Cisco ASA

How to BLOCK out going traffic by MAC-Address filter in Cisco ASA

May be this title is some weird, usually Cisco ASA act as Layer3 mode and is able to filter by IP Address. Most of the people may not need to filter by Layer2 MAC-Address. If you need in some circumstances you can use by MAC-LIST command using with AAA (Cut-Through Proxy Feature). In this my example it will state ASDM configuration steps.

There is no option for DHCP reservation in Cisco ASA, so that we can’t tie MAC-Address and IP Address for that user pc in ASA and not able to add Access-Rule with IP Address.

Since Cisco ASA is Layer3 mode, this is not possible to do with MAC-Address filtering access. In transparent mode on ASA, it could be possible by adding static MAC Address under inside interface. In such case, you should use with Disabling MAC Address Learning command together.

Adding a Static MAC Address

hostname(config)#mac-address-table static interface_name mac_address

Disabling MAC Address Learning

hostname(config)#mac-learn interface_name disable

Reference link for transparent mode ASA: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/bridgarp.html#wp1039986

Cut-Through Proxy Feature

  • step 1. Log in to ASDM and navigate to Configuration > Firewall > AAA Rules.
  • step 2. Click on Add and select Add Authentication Rule.
  • step 3. Select the interface where the authentication rule will be applied from the Interface pull-down menu. The inside interface is selected in this example.
  • step 4. Select Authenticate in the Action field to require user authentication.
  • step 5. Select the AAA server group (LOCAL) from the AAA Server Group pull-down menu.
  • step 6. Click on Add User and type your desire username and password from Add User Account dialog box.
  • step 7. Select the No ASDM, SSH, Telnet or Console access under Access Restriction session and click OK button.
  • step 8. You must specify a source and a destination for traffic that will require authentication. Click the ellipsis (...) to select an address that has already been configured in ASDM. In this example, the any keyword is entered to require authentication for any source from the inside interface.
  • step 9. Enter the destination IP address, network address, or the any keyword in the Destination field. In this example, the any keyword is entered to require authentication when a host tries to reach any destination.
  • step 10. Enter an IP service name for the destination service in the Service field. In this example, authentication is required for any host trying to access any TCP-based applications.
  • step 11. You can optionally enter a description for the authentication rule in the Description field.
  • step 12. Click OK.
  • step 13. Click Apply to apply the configuration changes.
  • step 14. Click Save to save the configuration in the Cisco ASA.

Exemption MAC Address

  • step 1. Log in to ASDM and navigate to Configuration > Firewall > AAA Rules.
  • step 2. Click on Add and select Add MAC Exempt Rule.
  • step 3. Select MAC Exempt in the Action field.
  • step 5. Type MAC Address (00aa.00bb.00cc) in MAC Address field box. 00aa.00bb.00cc states in example mac address.
  • step 6. MAC Mask field will show ffff.ffff.ffff and leave it as default value and Click OK.
  • step 7. Click Apply to apply the configuration changes.
  • step 8. Click Save to save the configuration in the Cisco ASA.

Reference link as below:

http://www.ciscopress.com/articles/article.asp?p=1552963&seqNum=4

Posted by at 1 comment:
Subscribe to: Posts (Atom)