https://community.cisco.com/t5/network-security/acls-and-fqdn-not-working-cisco-asa/m-p/4612635#M1090197 <P>does your rule should be not this</P> <PRE>access-list PRUEBA extended permit ip any object GOOGLE</PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P>looking into your log entry issue seem to be with Unreachable DNS server. if DNS server is not reachable and the ASA is unable to resolve the IP of the FQDN then the ACL will be marked as ‘inactive’,</P> Wed, 18 May 2022 20:32:23 GMT Sheraz.Salim 2022-05-18T20:32:23Z https://community.cisco.com/t5/network-security/acls-and-fqdn-not-working-cisco-asa/m-p/4612595#M1090196 <P>Hi team,</P><P>I&nbsp; can´t make that access-lists works with FQDN.</P><P>when i do show access-list the output show (unresolved) any (inactive)</P><P>&nbsp;</P><P>ASA CODE is&nbsp;Cisco Adaptive Security Appliance Software Version 9.12(4)38</P><P>here is the configacl,asa,fqdnasa</P><P>&nbsp;</P><P>dns domain-lookup LAN<BR />DNS server-group DefaultDNS<BR />name-server 208.67.222.123 OUTSIDE<BR />name-server 208.67.220.123 OUTSIDE<BR />name-server 1.1.1.1 OUTSIDE<BR />name-server 1.0.0.1 OUTSIDE<BR />name-server 192.168.0.19 LAN<BR />domain-name lab.local</P><P>!</P><P>!</P><P>object network GOOGLE<BR />fqdn v4 <A href="http://www.google.com" target="_blank" rel="noopener">www.google.com</A></P><P>!</P><P>access-list PRUEBA extended permit ip object GOOGLE any</P><P>!</P><P>when i do:</P><P>ping <A href="http://www.google.com" target="_blank" rel="noopener">www.google.com</A></P><P>ciscoasa# ping <A href="http://www.google.com" target="_blank" rel="noopener">www.google.com</A><BR />Type escape sequence to abort.<BR />Sending 5, 100-byte ICMP Echos to 142.250.78.4, timeout is 2 seconds:<BR />!!!!!<BR />Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms<BR />ciscoasa#</P><P>as you can see work the resolution.</P><P>Thanks for the help.</P><P>&nbsp;</P> Wed, 18 May 2022 19:39:46 GMT https://community.cisco.com/t5/network-security/acls-and-fqdn-not-working-cisco-asa/m-p/4612595#M1090196 Jhon Fredy Herrera Osorno 2022-05-18T19:39:46Z https://community.cisco.com/t5/network-security/acls-and-fqdn-not-working-cisco-asa/m-p/4612635#M1090197 <P>does your rule should be not this</P> <PRE>access-list PRUEBA extended permit ip any object GOOGLE</PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P>looking into your log entry issue seem to be with Unreachable DNS server. if DNS server is not reachable and the ASA is unable to resolve the IP of the FQDN then the ACL will be marked as ‘inactive’,</P> Wed, 18 May 2022 20:32:23 GMT https://community.cisco.com/t5/network-security/acls-and-fqdn-not-working-cisco-asa/m-p/4612635#M1090197 Sheraz.Salim 2022-05-18T20:32:23Z https://community.cisco.com/t5/network-security/acls-and-fqdn-not-working-cisco-asa/m-p/4612654#M1090198 <P>Thanks,&nbsp;</P><P>After <SPAN>after reading in depth,</SPAN> fqdn is not resolved until the access list is applied to an interface.</P><P>and i solve my needs with dynamic split tunnel according to this document&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect46/administration/guide/b_AnyConnect_Administrator_Guide_4-6/configure-vpn.html#task_v4x_ydm_pbb" target="_blank">Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.6 - Configure VPN Access [Cisco AnyConnect Secure Mobility Client] - Cisco</A></P><P>&nbsp;</P><P>Thanks</P> Wed, 18 May 2022 21:19:25 GMT https://community.cisco.com/t5/network-security/acls-and-fqdn-not-working-cisco-asa/m-p/4612654#M1090198 Jhon Fredy Herrera Osorno 2022-05-18T21:19:25Z