Announcement

Collapse
No announcement yet.

Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

    Hi all,

    I have a Cisco ASA 5510 firewall and I was wondering whether it is possible to change a MAC address on its interface?

    For example, I want to change the MAC address, 00c1.e3a1.6a2b, on interface Ethernet0/0, to 00bc.425a.65db.

    abow1983

  • #2
    Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

    We have a perfectly good cisco forum for this sort of post -- you just need to scroll down a bit further than the coffee lounge

    Moved
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

      Hello,

      Can anyone help??

      Comment


      • #4
        Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

        You probably need to be more patient or you need to learn how to use google.

        http://articles.techrepublic.com.com...1-6125413.html

        Comment


        • #5
          Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

          I wasn't able to find anything on google hence why I am asking the question on here.

          It would be great if someone can share their expertise on this topic it would be much appreciated.

          Comment


          • #6
            Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

            Maybe you could share your reason for needing or wanting to do this as that would help us get a better feel for what you're trying to accomplish? What is driving your desire to change the MAC address?

            Comment


            • #7
              Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

              Basically in short, we have two production Cisco ASA 5510 firewalls in our datacentre operating in failover mode.

              The primary ASA's outside interface's MAC-address is tied to the datacentre's internet link. Meaning we can only get internet access through that interface.

              We are currently experiencing problems with our secondary firewall as we believe that the failover has failed, so in the interim, we don't have any form of redundancy until we get the failed firewall fixed.

              We have a Cisco ASA 5510 firewall in our DR environment. We are cautious of the fact that if we lose our primary ASA, we lose our production.

              We would like to have the DR ASA 5510 firewall as a backup just in case if this event does happen. However, each interface has a unique MAC-address burnt in.

              We would need to assign the MAC-address on the interface of the primary ASA firewall to the interface of the DR ASA firewall so that we can get internet access through the interface in an event if we need to replace the primary ASA.

              I can not find anything on google that talks about changing a MAC-address on an interface so would like to get clarification from you guys now if it can be done or not.

              Comment


              • #8
                Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

                A couple of things (I'm no Cisco expert):

                1. Does the method in the link to the articleI posted not work on the ASA platform?

                2. Are you using HSRP as your failover mechanism? If so, can you register the HSRP virtual MAC address with the ISP?

                3. Can you explain your situation to the ISP and get them to allow connections from either MAC address?

                Comment


                • #9
                  Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

                  1. Sorry I don't understand what you mean by that.

                  2. We are using an Active/Standby failover method. In an event of a failover to the active unit, the standby unit will take on the IP address and the MAC-address of the active unit. I have read up about virtual MAC's and I have a suspicion that the only way to configure a unique MAC-address is by assigning a virtual MAC-address to the interface of the active and standby unit, which will substitute it for the physical MAC-address on the interface. It would be great if someone can confirm this.

                  I don't believe it's possible to change the physical MAC-address of an interface as it is burnt in by the manufacturer. It appears that creating a virtual MAC-address is the only option allowed by Cisco.

                  3. The question can be raised with the management of the Datacentre but would involve the ISP to configure their infrastructure to allow the second MAC-address through. At this point in time, we want to minimize the amount of effort required by them to make the changes so would be good if we can perform a simple change of the MAC-address on the outside interface on our end if its possible.

                  Comment


                  • #10
                    Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

                    1. I posted a link to an article that explains how to change the MAC address on a Cisco router. I'm asking you if you know whether or not this method also works on an ASA.

                    2. The active-standby configuration should have created a virtual MAC address and a virtual ip address. This is what the ISP should "see" so that either device can make the connection to their network. If this is not what's happening then I suspect something is wrong with the configuration.

                    3. OK, if this is not an option then you definitely need to find out why the failover configuration is not using the virtual MAC and ip address.

                    Comment


                    • #11
                      Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

                      After doing some research I can confirm that the firewalls are using the HSRP protocol as the failover method.

                      Furthermore, by nature, for an active/standby configuration, HSRP uses the burnt-in MAC-address as its virtual MAC-address. Therefore, the ISP be allowing the virtual MAC-address out through their network.

                      In my case, I can assign a new virtual MAC-address to the interface of the DR ASA as it supports the commands to do that.

                      However, I have realized that the ASA DR firewall HAS NO failover licence as it is a standalone firewall. As a result, I won't be able to assign a virtual MAC-address to it as it can only be done for failover licenced firewalls.

                      Thank you for your assistance. Your answers have provided me with clues to investigate the right areas to answer my query.

                      Comment


                      • #12
                        Re: Change a MAC address on an interface of a Cisco ASA 5510 Firewall?

                        Glad to help. Hope you get everything working the way you need it to.

                        Comment

                        Working...
                        X