Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

can i Deny user on the basis of mac-address on cisco asa firewall

Hi All,

I want to deny internet for some user on the basis of mac-address at cisco asa firewall .

My dhcp configuration is at ASA firewall.Is this possible that can i bind mac address with ip on asa firewall.

Please suggest .

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Purple

can i Deny user on the basis of mac-address on cisco asa firewal

Hi,

ASA doesn't support manual bindings like on IOS devices. You won't be able to use MAC ACLs either if you are in routed mode and MFP QoS only supports IP access-lists for class-maps.

Is there a Cisco router as edge device ? If so then you can then filter traffic  with a MQC QoS policy with drop action  without the need for manual DHCP bindings based on source MAC and an ACL for web traffic.

If you migrate your DHCP server to do manual leases then on your ASA you can use a simple L3 IP ACL applied ingress on the inside interface.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
7 REPLIES
Silver

can i Deny user on the basis of mac-address on cisco asa firewal

Don't know if this is going to work on ASA DHCP implementation but you can give a try:

http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfdhcp.html#wp1017385

HTH,
Dragan

HTH, Dragan

can i Deny user on the basis of mac-address on cisco asa firewal

Hi Dragan,

Thanks ,

Actually I have total 50 mac-address of the users so according to this method I have to create 50 dchp pool means for every individual user as per document.Is there any other way ...can i perform the above mention configuration on asa firewall.

Silver

can i Deny user on the basis of mac-address on cisco asa firewal

Using this method - yes 50 DHCP pools...

You can try with some test DHCP pool on your ASA and some test PC to check if it's going to work fine...

HTH,
Dragan

HTH, Dragan
Purple

can i Deny user on the basis of mac-address on cisco asa firewal

Hi,

ASA doesn't support manual bindings like on IOS devices. You won't be able to use MAC ACLs either if you are in routed mode and MFP QoS only supports IP access-lists for class-maps.

Is there a Cisco router as edge device ? If so then you can then filter traffic  with a MQC QoS policy with drop action  without the need for manual DHCP bindings based on source MAC and an ACL for web traffic.

If you migrate your DHCP server to do manual leases then on your ASA you can use a simple L3 IP ACL applied ingress on the inside interface.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

can i Deny user on the basis of mac-address on cisco asa firewal

Hi Cadet Alain ,

Thanks for your suggestion .I am Agree with you....

New Member

can i Deny user on the basis of mac-address on cisco asa firewal

No, It is not possible as far as I know.

Have you tried creating a static ARP and then use ACL to block the IP?

can i Deny user on the basis of mac-address on cisco asa firewal

Thanks Sir ,

Now i will configure the dhcp lease as unlimited then i will try to configure access rule .

361
Views
0
Helpful
7
Replies
CreatePlease to create content