FMC 7.2.5 FQDN objects in extended ACL's

thegreatone · ‎07-08-2024

Hi,

We are trying to use fqdn objects in extended ACL's to do policy based routing but FQDN objects do not show in the network tab in the ACE entry and when trying to use a network object group containing FQDN objects, we get an error. Is this not supported?

MHM Cisco World · ‎07-08-2024

What is error ypu get

MHM

thegreatone · ‎07-08-2024

Only Network or Host or Network range types are allowed.

An object other than the Network or Host or Network range type was
entered.

Please remove the object or modify the object to meet the
requirements.

MHM Cisco World · ‎07-08-2024

I check cisco doc. There is no mention that PBR support fqdn acl.

Sorry for this bad news.

MHM

thegreatone · ‎07-08-2024

Is there any way to do PBR using FQDN's? I have a FQDN whose IP's keep changing as its hosted on AWS and this is not something I can use IP address based object for. This is supported on ASA as I've been able to do this on ASA in the past

Torbjørn · ‎07-08-2024

I am only speculating, and it's an ugly hack. But wonder if you could NAT using the FQDN object, then do PBR based on the new source address?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

thegreatone · ‎07-08-2024

I suppose I could give that a shot but I thought this was something that more people would use and would be possible using FlexConfig even if the GUI doesn't support it since it worked on ASA