https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741274#M493973 <HTML><HEAD></HEAD><BODY><P>@<A _jive_internal="true" href="https://community.cisco.com/people/zulqurnain" id="jive-4571604623361078697801" onmouseout="" onmouseover="">zulqurnain</A> </P><P>Thanks for your reply. Indeed the asa does not allow me to use a hostname. The question is, how can I still make this work without going for 'any' or adding all the possible ip's it might translate too. </P></BODY></HTML> Mon, 07 Nov 2011 12:31:27 GMT michellp 2011-11-07T12:31:27Z https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741271#M493970 <P>Hi,</P><P></P><P>I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host. </P><P>For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. <A href="http://www.hostname.com" target="_blank">www.hostname.com</A> and subdomain.hostname.com.</P><P></P><P>This is how I normally add these rules (the ip addresses are fictive):</P><P>access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log</P><P></P><P>When I try to add this using the hostname on our asa I get an error:</P><P>access-list internet_access extended permit tcp host 192.168.50.5 host <A href="http://www.hostname.com/" target="_blank">www.hostname.com</A>&nbsp; ?<BR />ERROR: % Unrecognized command</P><P></P><P>I've tried it without the 'www', so hostname.com but same error. </P><P></P><P>How can I solve this? </P><P></P><P></P><P>Thanks in advance for your time and help</P><P></P><P>Regards,</P> Mon, 11 Mar 2019 21:46:52 GMT https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741271#M493970 michellp 2019-03-11T21:46:52Z https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741272#M493971 <HTML><HEAD></HEAD><BODY><P> By the way, creating an object-group or network-object, gives the same result, error. </P></BODY></HTML> Mon, 07 Nov 2011 08:18:11 GMT https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741272#M493971 michellp 2011-11-07T08:18:11Z https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741273#M493972 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>As far I can remember and experienced Cisco ASA does not allow you to configure access-list using hostname , access-list can only have ip-address and ports.</P><P></P><P>HTH </P><P></P><P>Sent from Cisco Technical Support iPad App</P></BODY></HTML> Mon, 07 Nov 2011 10:48:23 GMT https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741273#M493972 zulqurnain 2011-11-07T10:48:23Z https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741274#M493973 <HTML><HEAD></HEAD><BODY><P>@<A _jive_internal="true" href="https://community.cisco.com/people/zulqurnain" id="jive-4571604623361078697801" onmouseout="" onmouseover="">zulqurnain</A> </P><P>Thanks for your reply. Indeed the asa does not allow me to use a hostname. The question is, how can I still make this work without going for 'any' or adding all the possible ip's it might translate too. </P></BODY></HTML> Mon, 07 Nov 2011 12:31:27 GMT https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741274#M493973 michellp 2011-11-07T12:31:27Z https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741275#M493974 <HTML><HEAD></HEAD><BODY><P><A _jive_internal="true" href="https://community.cisco.com/people/zulqurnain" id="jive-457160965476906290454" onmouseout="" onmouseover="">zulqurnain</A> is correct, you cannot add a hostname to an ACL it has to be an IP address. The only way to filter traffic is by adding the IP address and ports of&nbsp; hostename.com to the ACL. </P></BODY></HTML> Mon, 07 Nov 2011 20:45:37 GMT https://community.cisco.com/t5/network-security/extended-access-list-error-using-fqdn/m-p/1741275#M493974 chris baranowski 2011-11-07T20:45:37Z