Solved: Re: FQDN based DACL

Aravind Ravichandran · ‎10-29-2018

Hello all,

Can you help me with the syntax to create fqdn based DACLs.

Thanks

-Aravind

hslai · ‎10-30-2018

The syntax error is expected and ok to ignore and save your edit anyway.

The DACL syntax checker in ISE works mainly for Cisco IOS ACL and does not recognize all the keywords; e.g. CSCve90230

See also CSCvj94873 and CSCva54802

View solution in original post

hslai · ‎10-29-2018

Usually, it would be the same syntax as the regular ACL supported on the NAD. For example, for ASA, I tested with below:

permit udp any eq bootpc any eq bootps
permit ip any host 10.1.100.10
permit tcp any object-group og-net-msftNCSI eq www
permit tcp any object obj-ISE eq 8443
permit tcp any object obj-ISE eq 8905
permit icmp any any
deny ip any any

where og-net-msftNCSI is defined on ASA

object-group network og-net-msftNCSI
network-object object obj-msftNCSI
network-object object obj-msftConnectTest

!

object network obj-msftNCSI
fqdn www.msftncsi.com
object network obj-msftConnectTest
fqdn www.msftconnecttest.com

Aravind Ravichandran · ‎10-30-2018

Hi,

This is applicable for ASA. When i tried to create same in ISE, its throwing error like object-group/fqdn are invalid argument.

-Aravind

hslai · ‎10-30-2018

The syntax error is expected and ok to ignore and save your edit anyway.

The DACL syntax checker in ISE works mainly for Cisco IOS ACL and does not recognize all the keywords; e.g. CSCve90230