cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


190
Views
0
Helpful
2
Replies
Beginner

Using FQDN in access lists

Trying to determine how to properly configure FQDNs in access lists on an ASA5525 to always resolve for HTTPS from an internal network server VM application reaching out to them regardless of what ip address changes occur to each domain name over time. After extensive research of many references that lists configuration variations for the method along with trial and error troubleshooting, the following is the latest attempted configuration with the full show run config attached.


config t
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2

object network MGMT_SERVER
subnet 192.168.0.0 255.255.255.0
object network obj-cisco.com
fqdn cisco.com
object network obj-usa.gov
fqdn usa.gov
object network obj-pbs.org
fqdn pbs.org
object-group network MGMT_FQDN
network-object object obj-cisco.com
network-object object obj-usa.gov
network-object object obj-pbs.org

access-list OUTBOUND extended permit tcp object MGMT_SERVER object-group MGMT_FQDN eq 443
access-list OUTBOUND extended permit udp object MGMT_SERVER host 8.8.8.8 eq domain
access-list OUTBOUND extended permit udp object MGMT_SERVER host 4.2.2.2 eq domain


ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn MGMT_FQDN https
ERROR: Cannot resolve MGMT_FQDN
ASA#

 

Any possible feedback about the proper configuration method to resolve this would be greatly appreciated.

2 REPLIES 2
Hall of Fame Master

Re: Using FQDN in access lists

When using packet-tracer you need to specify an actual fqdn in the destination - not an object-group or object.

Beginner

Re: Using FQDN in access lists

Like the following?

ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn cisco.com https
ERROR: Cannot resolve cisco.com
ASA# packet-tracer input inside tcp 192.168.0.3 3000 fqdn usa.gov https
ERROR: Cannot resolve usa.gov

Maybe still some issue in how the packet-tracer command was run or possible misconfiguration?