Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1318
Views
0
Helpful
3
Replies

FQDN ACL

Enacisco
Level 1
Level 1

‎08-29-2021 01:44 PM - edited ‎08-29-2021 02:18 PM

Hi, 

 I'm trying to get my ASA solve for FQDN I created the network object, added it to ACL, tied the ACL to interface but still not luck.

 

access-list Corp_access_in line 29 extended deny ip any object Google (hitcnt=0) 0xa2e5bb89
access-list Corp_access_in line 29 extended deny ip any fqdn www.google.com (unresolved) (inactive) 0x74f590e8
access-list Corp_access_in line 30 extended permit ip any any (hitcnt=24) 0x44e7cc89

 

SLROUTERICS(config)# sh dns

Name: www.google.com (unable to resolve)

 

Here is a capture from the log 

user-identity: DNS lookup for www.google.com failed, reason:UNKNOWN

user-identity: DNS lookup for www.google.com failed, reason:Timeout or unresolvable

 

here is my DNS setup 

 

SLROUTERICS(config)# sh run dns
dns domain-lookup Corp
DNS server-group DefaultDNS
name-server 172.28.4.102 Corp
name-server 172.28.4.106 Corp
domain-name domain.corp

 

I made sure that my DNS is able to resolve the FQDN. 

 

Thank you in advanced.

Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎08-29-2021 11:20 PM

Hello,

 

your DNS is (obviously) not resolving. Do the two DNS servers (172.28.4.102/106) have an entry for www.google.com ?

 

Also, I assume 'CORP' is the name of the inside interface ?

 

Make sure your entire config looks like this (ACL is generic):

 

domain-name domain.corp
!
dns domain-lookup Corp
DNS server-group DefaultDNS
name-server 172.28.4.102
name-server 172.28.4.106
domain-name domain.corp

!

object network obj-www.google.com
fqdn www.google.com
!
access-list Inside_In deny ip any object obj-www.google.com
access-list Inside_In permit ip any any

0 Helpful

Enacisco
Level 1
Level 1
In response to Georg Pauwen

‎08-30-2021 08:17 AM

Hi  Georg Pauwen

 Thank you for the reply. I'm not sure what you mean by my DNS is not resolving, if I ping or nslookup from any other machine that uses the same DNS server it resolve fine but not the ASA. Yes, Corp is my inside interface. I have the configuration you mentioned in your replay but still not working, do I need to tie that access-list entry to an the inside interface 

access-group Corp_access_in in interface Corp

 

Thank you.

0 Helpful

Georg Pauwen
VIP
VIP
In response to Enacisco

‎08-30-2021 10:13 AM

Hello,

 

if you want the ASA to resolve DNS names, you need to configure:

 

dns domain-lookup outside

 

That is, enable it for your outside interface...

0 Helpful
Customers Also Viewed These Support Documents