https://community.cisco.com/t5/network-security/allowing-a-dyn-dns-to-my-access-list/m-p/2426812#M269844 <HTML><HEAD></HEAD><BODY><P>Yes, but upgrading to 8.4(2) will, unfortunately, change a lot of your configurations related to NAT in particular.</P><P></P><P>Reference this document to get a heads-up on what else will be required.</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-12690">https://supportforums.cisco.com/docs/DOC-12690</A></P><P></P><P><SPAN style="font-size: 10pt;">An alternative and arguably better solution to your problem is just creating a Remote Access VPN for him on the ASA, then his IP won't matter, unless I am misunderstanding how this person connects.</SPAN></P></BODY></HTML> Wed, 12 Feb 2014 23:00:52 GMT jpeterson6 2014-02-12T23:00:52Z https://community.cisco.com/t5/network-security/allowing-a-dyn-dns-to-my-access-list/m-p/2426809#M269838 <P>Hi all.</P><P></P><P>I allow a remote user access to our network based on his static ip which he is about to loose. We have configured a dyn dns address for his changing public IP that i would like to add to our cisco.</P><P></P><P>Looking at ASDM how is it possible to allow a dyn dns address to the access list and for the ASA to update accordingly?</P><P></P><P>Thanks.</P> Tue, 12 Mar 2019 03:44:09 GMT https://community.cisco.com/t5/network-security/allowing-a-dyn-dns-to-my-access-list/m-p/2426809#M269838 Locayta123 2019-03-12T03:44:09Z https://community.cisco.com/t5/network-security/allowing-a-dyn-dns-to-my-access-list/m-p/2426810#M269840 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you have ASA running 8.4(2) or newer software you can use FQDN in the ACL rules to allow connections based on the DNS name rather than the IP address</P><P></P><P>In this setup you will have to</P><UL><LI>Configure DNS servers that the ASA can use to make DNS queries</LI><LI>Enable DNS lookups on the ASAs interface through which the DNS queries should be sent</LI><LI>Configure an <STRONG>"object network <NAME>" </NAME></STRONG>and <STRONG>"fqdn customer.dnsname.com"</STRONG></LI><LI>Use the created <STRONG>"object" </STRONG>in the ACL rule</LI></UL><P></P><P>Example configuration could be for example (unless I remember something wrong)</P><P></P><P><STRONG>dns domain-lookup outside</STRONG></P><P><STRONG>dns server-group DefaultDNS</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp; name-server 8.8.8.8</STRONG></P><P></P><P><STRONG>object network GOOGLE</STRONG></P><P><STRONG> fqdn www.google.com</STRONG></P><P></P><P><STRONG>access-list OUTSIDE-IN permit tcp object GOOGLE host <DESTINATION ip=""> eq 80</DESTINATION></STRONG></P><P></P><P><STRONG>access-group OUTSIDE-IN in interface outside</STRONG></P><P></P><P></P><P>So I would imagine that if your software is not the above mentioned or newer you wont be able to allow connections according to FQDN.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 11 Feb 2014 16:23:57 GMT https://community.cisco.com/t5/network-security/allowing-a-dyn-dns-to-my-access-list/m-p/2426810#M269840 Jouni Forss 2014-02-11T16:23:57Z https://community.cisco.com/t5/network-security/allowing-a-dyn-dns-to-my-access-list/m-p/2426811#M269842 <HTML><HEAD></HEAD><BODY><P>Great post, thanks for the detail.</P><P></P><P>I'm currently running:</P><P></P><P>Cisco Adaptive Security Appliance Software Version 7.2(5) </P><P>Device Manager Version 5.2(5)</P><P></P><P>WIll i need to upgrade my appliance for this to work?</P></BODY></HTML> Tue, 11 Feb 2014 16:33:59 GMT https://community.cisco.com/t5/network-security/allowing-a-dyn-dns-to-my-access-list/m-p/2426811#M269842 Locayta123 2014-02-11T16:33:59Z https://community.cisco.com/t5/network-security/allowing-a-dyn-dns-to-my-access-list/m-p/2426812#M269844 <HTML><HEAD></HEAD><BODY><P>Yes, but upgrading to 8.4(2) will, unfortunately, change a lot of your configurations related to NAT in particular.</P><P></P><P>Reference this document to get a heads-up on what else will be required.</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-12690">https://supportforums.cisco.com/docs/DOC-12690</A></P><P></P><P><SPAN style="font-size: 10pt;">An alternative and arguably better solution to your problem is just creating a Remote Access VPN for him on the ASA, then his IP won't matter, unless I am misunderstanding how this person connects.</SPAN></P></BODY></HTML> Wed, 12 Feb 2014 23:00:52 GMT https://community.cisco.com/t5/network-security/allowing-a-dyn-dns-to-my-access-list/m-p/2426812#M269844 jpeterson6 2014-02-12T23:00:52Z