Trying to determine how to properly configure FQDNs in access lists on an ASA5525 to always resolve for HTTPS from an internal network server VM application reaching out to them regardless of what ip address changes occur to each domain name over time. After extensive research of many references that lists configuration variations for the method along with trial and error troubleshooting, the following is the latest attempted configuration with the full show run config attached.
dns domain-lookup outside
dns server-group DefaultDNS
object network MGMT_SERVER
subnet 192.168.0.0 255.255.255.0
object network obj-cisco.com
object network obj-usa.gov
object network obj-pbs.org
object-group network MGMT_FQDN
network-object object obj-cisco.com
network-object object obj-usa.gov
network-object object obj-pbs.org
access-list OUTBOUND extended permit tcp object MGMT_SERVER object-group MGMT_FQDN eq 443
access-list OUTBOUND extended permit udp object MGMT_SERVER host 220.127.116.11 eq domain
access-list OUTBOUND extended permit udp object MGMT_SERVER host 18.104.22.168 eq domain
ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn MGMT_FQDN https
ERROR: Cannot resolve MGMT_FQDN
Any possible feedback about the proper configuration method to resolve this would be greatly appreciated.
Like the following?
ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn cisco.com https
ERROR: Cannot resolve cisco.com
ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn usa.gov https
ERROR: Cannot resolve usa.gov
Maybe still some issue in how the packet-tracer command was run or possible misconfiguration?