topic Thank you for the information in Network Security

ASA ACL using FQDN with Wildcard

John Jenard Valencia — Tue, 12 Mar 2019 07:54:16 GMT

Im new to firewalling and im currently trying to allow traffic from Office 365 on our Cisco ASA 5515-X

Is the a way to use FQDN with wildcard (ex. *.office365.com)

There are numerous destinations similar to the example to allow Office365.

No, that won't work. The ASA

Karsten Iwen — Fri, 17 Jun 2016 06:57:38 GMT

No, that won't work. The ASA uses the FQDNs to resolve them to an IP address. These IPs are used for access-control. With wildcards, the ASA doesn't know what to resolve.

Thank you for the information

John Jenard Valencia — Fri, 17 Jun 2016 07:06:48 GMT

Thank you for the information Karsten Iwen

is there any alternative to achieve using destination with wildcards?

Although Microsoft provided all the IPs used by Office365, its many compared to FQDN just in case.

Solutions that inspect the

Karsten Iwen — Fri, 17 Jun 2016 09:29:48 GMT

Solutions that inspect the payload can do that like the FirePower module that you can install in your ASA. But that works best with clear communication and is an extra effort for encrypted communication like HTTPS.

Re: ASA ACL using FQDN with Wildcard

Alex Pfeil — Mon, 29 Nov 2021 18:35:24 GMT

In this example *.office365.com, you just put office365.com and that matches all of the wildcards. I tested this out with a pretty long list of FQDNs, and the test came back successful.

Re: ASA ACL using FQDN with Wildcard

subhasish.p — Thu, 28 Sep 2023 10:01:30 GMT

does this work as ASA or FTD proactively matches the IP address to the FQDN ( as defined in the ACL ) and there wouldnt not be able to match to any IP for any office365.com ( or its subdomain ) unless its FQDN .

Please let me know what is output do you see for show FQDN or show DNS on your device for office365.com .