+ Reply to Thread
Results 1 to 9 of 9
  1. Senior Member advanex1's Avatar
    Join Date
    Jul 2011
    Location
    Phoenix, AZ
    Posts
    298

    Certifications
    Network+, Security+, Server+, Project+, CASP, MCP, MCSA: Server 2012, CCENT, CCNA
    #1

    Default ASA 5505 - Setting interface mac addresses

    So, I've never touched ASA's before and we are trying to make it so that we can statically assign a mac address to one of the ethernet interfaces to match the IP address of the computer being used. The reason/theory behind it is because when you purchase internet at a different hotel, you typically have to go to a splash page to login... well.. the mac addresses of the ASA and the computer are different and therefore when you disconnect the computer and plugin the ASA, you get no connection because it doesn't consider you to be logged in anymore.

    I've done the following with the following return:

    1. Config-if int e0/3 - mac-address xxxx.xxxx.xxxx - error I get is "this command can only be configured on vlan interfaces"
    2. Config-if int vlan 3 - mac-address xxxx.xxxx.xxxx - error returned is "active address multicast bit is set"
    3. config-if int e0/3 - no mac-address xxxx.xxxx.xxxx - error returned is "active mac address not set"
    4. The "easy remote vpn" required error came about when I was messing with the "nameif" commands. Seems that the inside and outside interfaces are using the nameifs and the ACL's are set specifically to those names. So I was just working through some things to see if I could modify the names of other vlans created and then apply them to the interfaces to set a mac address.
    5. Last thing I tried to do was removing switchport access vlan 1 from e0/3 and adding the mac address as well. Still no joy.

    The ASA is in Firewall "Router" mode. The vlan 1 is the inside vlan and the vlan 0 is the outside vlan. All ethernet ports other than e0/0 are in vlan1. The mac address is NOT set to mac-address auto.


    Anyone have any thoughts on this? This is my first time touching an ASA and it's whooping my butt. Can't seem to find anything about this, everyone says you should be able to set the mac-address... well... I can't. Heh, thanks for the read/help.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #2
    Quote Originally Posted by advanex1 View Post
    So, I've never touched ASA's before and we are trying to make it so that we can statically assign a mac address to one of the ethernet interfaces to match the IP address of the computer being used. The reason/theory behind it is because when you purchase internet at a different hotel, you typically have to go to a splash page to login... well.. the mac addresses of the ASA and the computer are different and therefore when you disconnect the computer and plugin the ASA, you get no connection because it doesn't consider you to be logged in anymore.

    I've done the following with the following return:

    1. Config-if int e0/3 - mac-address xxxx.xxxx.xxxx - error I get is "this command can only be configured on vlan interfaces"
    2. Config-if int vlan 3 - mac-address xxxx.xxxx.xxxx - error returned is "active address multicast bit is set"
    3. config-if int e0/3 - no mac-address xxxx.xxxx.xxxx - error returned is "active mac address not set"
    4. The "easy remote vpn" required error came about when I was messing with the "nameif" commands. Seems that the inside and outside interfaces are using the nameifs and the ACL's are set specifically to those names. So I was just working through some things to see if I could modify the names of other vlans created and then apply them to the interfaces to set a mac address.
    5. Last thing I tried to do was removing switchport access vlan 1 from e0/3 and adding the mac address as well. Still no joy.

    The ASA is in Firewall "Router" mode. The vlan 1 is the inside vlan and the vlan 0 is the outside vlan. All ethernet ports other than e0/0 are in vlan1. The mac address is NOT set to mac-address auto.


    Anyone have any thoughts on this? This is my first time touching an ASA and it's whooping my butt. Can't seem to find anything about this, everyone says you should be able to set the mac-address... well... I can't. Heh, thanks for the read/help.
    Depending on how the authentication at the hotel is set up, the reliance on MAC authentication won't be sufficient.

    But, this might help you.

    From what I can read (do not have an ASA with me to test right now, at home) ... it appears that you'd have to go either multiple-context, or configure this on subinterfaces.

    Configuring the MAC Address

    This section describes how to configure MAC addresses for interfaces.
    Information About MAC Addresses

    By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address. A redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to the redundant interface using this command, then it is used regardless of the member interface MAC addresses.
    In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the ASA easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the "How the Security Appliance Classifies Packets" section for more information. You can assign each MAC address manually, or you can automatically generate MAC addresses for shared interfaces in contexts. See the "Automatically Assigning MAC Addresses to Context Interfaces" section to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use this procedure to override the generated address.

    For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.

    Prerequisites

    Enter interface configuration mode according to the "Entering Interface Configuration Mode" section.
    Detailed Steps

    mac-address mac_address[standby mac_address]
    Example:
    hostname(config-if)# mac-address 000C.F142.4CDE standby 000C.F142.4CDF
    Assigns a private MAC address to this interface. The mac_address is in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE is entered as 000C.F142.4CDE.
    The first two bytes of a manual MAC address cannot be A2 if you also want to use auto-generated MAC addresses.
    For use with failover, set the standby MAC address. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.
    Source: Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2 - Configuring Interfaces* [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

    Hope this helps.

    Note: As I mentioned previously, if the vendor uses a different method of authentication, just using the MAC won't help you.

    Just to be clear, it sounds like you want to have a remote user lug around an ASA firewall with them, when they're in hotels? Why can't they just VPN? I'm confused by the sounds of your request, actually.

    Clear me up
    Reply With Quote Quote  

  4. Senior Member advanex1's Avatar
    Join Date
    Jul 2011
    Location
    Phoenix, AZ
    Posts
    298

    Certifications
    Network+, Security+, Server+, Project+, CASP, MCP, MCSA: Server 2012, CCENT, CCNA
    #3
    Instant - thanks for the resource, unfortunately, we've already tried that to no avail. What we have done instead is place a Nexus Hawk infront of the ASA and assigned a static mac to that for the PC to allow it to always seem to be "logged in".

    In the military, we carry around travel packages and VPN's aren't sufficient for classified information. We have to carry around the hardware for this instead. Might sound silly, but it's protocol. The travel packages allows us to access both unclass and class networks. Pretty neat actually.

    Appreciate the reply!
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #4
    Quote Originally Posted by advanex1 View Post
    Instant - thanks for the resource, unfortunately, we've already tried that to no avail. What we have done instead is place a Nexus Hawk infront of the ASA and assigned a static mac to that for the PC to allow it to always seem to be "logged in".

    In the military, we carry around travel packages and VPN's aren't sufficient for classified information. We have to carry around the hardware for this instead. Might sound silly, but it's protocol. The travel packages allows us to access both unclass and class networks. Pretty neat actually.

    Appreciate the reply!
    You're welcome. Like I said, I didn't have a device to test, but you and I both know you can't trust the documentation unless you test it on devices and get output (or I could even be mis-reading it, for all I know).

    Well, I can understand how it might be more secure, I was worrying about burdening the end user. But ...with it being military, I can completely understand the context now. I'm pretty sure Cisco appreciates the business. Please at least tell me you're using the 5505's? I'm just having this vision of someone lugging around a lot of gear.

    Hopefully, it's all racked for them, kind of like those small racks on wheels you see nowadays. Did you ever see the CAISI? It was a network in a drop box.
    Let me find a link:

    CAISI | Customer Success Stories
    Woah, that's changed a lot in ten years (when I first worked with it, it was definitely NOT wireless, it was VERY wired, and I ran lots of WF-16 and RG-58 for one a couple times ) Also, the box was a lot larger
    Reply With Quote Quote  

  6. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #5
    A little bit less extreme than Multi-context but still not ideal - you could setup failover (with no mate) and use the "failover mac address..." command to assign a virtual address to the required interface.
    Reply With Quote Quote  

  7. Senior Member advanex1's Avatar
    Join Date
    Jul 2011
    Location
    Phoenix, AZ
    Posts
    298

    Certifications
    Network+, Security+, Server+, Project+, CASP, MCP, MCSA: Server 2012, CCENT, CCNA
    #6
    Quote Originally Posted by Ahriakin View Post
    A little bit less extreme than Multi-context but still not ideal - you could setup failover (with no mate) and use the "failover mac address..." command to assign a virtual address to the required interface.
    Ahriakin, I'll try that tomorrow, I think we've gone though it but I'll let you know the outcome. Thanks for all the input. We had a few of the WAN Engineers work on this to no avail as well, they weren't sure what the issue was or how to rectify it. I'm going to try that tomorrow though.

    Instant, it's not racked. We are the commo guys, we carry around a black small toughbox with the equipment placed inside. When we stop for a night, we lay it out and get it up. When we are done, we wrap it up and set it back into the box. The user NEVER has to touch it, we are the setup, the teardown, and the troubleshooters.

    We are working at a headquarters level, so these guys just want things that work, they don't care what goes into it or how it looks if they never get to see it I'll check out that Caisi stuff when my Iraqi internet stops being so darn slow.

    Thanks again guys!
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Nov 2009
    Location
    South Carolina
    Posts
    114

    Certifications
    Network +, Security +, CCNA, CCNP, CCIE Written R/S
    #7
    Coming from that background I understand the need for more than just a RA vpn especially if you are talking class networks, can picture what you might be lugging around actually. Have you guys looked at the Talon stuff, atleast that is what I think it is. Something we looked at when I was working for the government, not nearly as cumbersome as what you might be lugging around for seemless access from low to high side.
    Reply With Quote Quote  

  9. Senior Member advanex1's Avatar
    Join Date
    Jul 2011
    Location
    Phoenix, AZ
    Posts
    298

    Certifications
    Network+, Security+, Server+, Project+, CASP, MCP, MCSA: Server 2012, CCENT, CCNA
    #8
    Ahriakin, no go. Gave me the "can only be set on vlan interfaces" type of error. Still not sure of why I cannot change this when all the documentation I'm reading is stating that I can. Maybe it has to do with liscenses? I'm not given any straightforward answer as to what license we hold with the ASA's. If anyone can tell me another way to figure that out then that would be great.

    I'll google around the Talon stuff today and take a look at it. As it stands, we can only make suggestions... can't make the choices
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #9
    Quote Originally Posted by advanex1 View Post
    Ahriakin, no go. Gave me the "can only be set on vlan interfaces" type of error. Still not sure of why I cannot change this when all the documentation I'm reading is stating that I can. Maybe it has to do with liscenses? I'm not given any straightforward answer as to what license we hold with the ASA's. If anyone can tell me another way to figure that out then that would be great.
    sh version ?

    depending on the model, you get different capabilities. like 5505 only does basic or sec+, but the others can do a lot more for you. That's off the top of my head, I haven't studied the licensing lately, but would study it, for when I had to do th exam again.

    I'll google around the Talon stuff today and take a look at it. As it stands, we can only make suggestions... can't make the choices
    CAISI was just a LAN extension setup, what you're asking for appears to basically translate into being what I used to see in the back of the truck of the guy who'd set up the antenna (it was a 25 series MOS, forget which one), and he'd have a box that would split off the high and low signals, as well as whatever routing/switching required, and he'd consult with the 25Us to get the proper keys for his device (Whether he had an ANCD or not, don't know, 'cause there was only two of these guys, we weren't going to risk their getting hurt on trips outside the wire to get a COMSEC key) ... and to people wondering, yes, the standard (at least when I was in) was always that keys were transferred out-of-band. I feel that if they ever were transferred in-band, it would kind of defeat the purpose.

    Also, I had no idea you were coming from the perspective of being the crew that sets up the user environment, so, really, it doesn't matter how complex it is for you, it just matters that it works for them. (of course, the simpler you can make it for yourself, the better).
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks