https://community.cisco.com/t5/network-security/using-fqdn-in-access-lists/m-p/3925273#M24447 <P>Trying to determine how to properly configure FQDNs in access lists on an ASA5525 to always resolve for HTTPS from an internal network server VM application reaching out to them regardless of what ip address changes occur to each domain name over time. After extensive research of many references that lists configuration variations for the method along with trial and error troubleshooting, the following is the latest attempted configuration with the full show run config attached.</P><P><BR />config t<BR />dns domain-lookup outside<BR />dns server-group DefaultDNS<BR />name-server 8.8.8.8<BR />name-server 4.2.2.2</P><P>object network MGMT_SERVER<BR />subnet 192.168.0.0 255.255.255.0<BR />object network obj-cisco.com<BR />fqdn cisco.com<BR />object network obj-usa.gov<BR />fqdn usa.gov<BR />object network obj-pbs.org<BR />fqdn pbs.org<BR />object-group network MGMT_FQDN<BR />network-object object obj-cisco.com<BR />network-object object obj-usa.gov<BR />network-object object obj-pbs.org</P><P>access-list OUTBOUND extended permit tcp object MGMT_SERVER object-group MGMT_FQDN eq 443<BR />access-list OUTBOUND extended permit udp object MGMT_SERVER host 8.8.8.8 eq domain<BR />access-list OUTBOUND extended permit udp object MGMT_SERVER host 4.2.2.2 eq domain</P><P><BR />ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn MGMT_FQDN https<BR />ERROR: Cannot resolve MGMT_FQDN<BR />ASA#</P><P>&nbsp;</P><P>Any possible feedback about the proper configuration method to resolve this would be greatly appreciated.</P> Tue, 17 Sep 2019 00:05:05 GMT SB13 2019-09-17T00:05:05Z https://community.cisco.com/t5/network-security/using-fqdn-in-access-lists/m-p/3925273#M24447 <P>Trying to determine how to properly configure FQDNs in access lists on an ASA5525 to always resolve for HTTPS from an internal network server VM application reaching out to them regardless of what ip address changes occur to each domain name over time. After extensive research of many references that lists configuration variations for the method along with trial and error troubleshooting, the following is the latest attempted configuration with the full show run config attached.</P><P><BR />config t<BR />dns domain-lookup outside<BR />dns server-group DefaultDNS<BR />name-server 8.8.8.8<BR />name-server 4.2.2.2</P><P>object network MGMT_SERVER<BR />subnet 192.168.0.0 255.255.255.0<BR />object network obj-cisco.com<BR />fqdn cisco.com<BR />object network obj-usa.gov<BR />fqdn usa.gov<BR />object network obj-pbs.org<BR />fqdn pbs.org<BR />object-group network MGMT_FQDN<BR />network-object object obj-cisco.com<BR />network-object object obj-usa.gov<BR />network-object object obj-pbs.org</P><P>access-list OUTBOUND extended permit tcp object MGMT_SERVER object-group MGMT_FQDN eq 443<BR />access-list OUTBOUND extended permit udp object MGMT_SERVER host 8.8.8.8 eq domain<BR />access-list OUTBOUND extended permit udp object MGMT_SERVER host 4.2.2.2 eq domain</P><P><BR />ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn MGMT_FQDN https<BR />ERROR: Cannot resolve MGMT_FQDN<BR />ASA#</P><P>&nbsp;</P><P>Any possible feedback about the proper configuration method to resolve this would be greatly appreciated.</P> Tue, 17 Sep 2019 00:05:05 GMT https://community.cisco.com/t5/network-security/using-fqdn-in-access-lists/m-p/3925273#M24447 SB13 2019-09-17T00:05:05Z https://community.cisco.com/t5/network-security/using-fqdn-in-access-lists/m-p/3925467#M24448 <P>When using packet-tracer you need to specify an actual fqdn in the destination - not an object-group or object.</P> Tue, 17 Sep 2019 09:10:22 GMT https://community.cisco.com/t5/network-security/using-fqdn-in-access-lists/m-p/3925467#M24448 Marvin Rhoads 2019-09-17T09:10:22Z https://community.cisco.com/t5/network-security/using-fqdn-in-access-lists/m-p/3925708#M24450 <P>Like the following?</P><P>ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn cisco.com https<BR />ERROR: Cannot resolve cisco.com<BR />ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn usa.gov https<BR />ERROR: Cannot resolve usa.gov</P><P>Maybe still some issue in how the packet-tracer command was run or possible misconfiguration?</P> Tue, 17 Sep 2019 15:27:33 GMT https://community.cisco.com/t5/network-security/using-fqdn-in-access-lists/m-p/3925708#M24450 SB13 2019-09-17T15:27:33Z