Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1890
Views
0
Helpful
2
Replies

ACLs and FQDN Not Working - Cisco ASA

Go to solution
Jhon Fredy Herrera Osorno
Level 1
Level 1

‎05-18-2022 12:36 PM - edited ‎05-18-2022 12:39 PM

Hi team,

I  can´t make that access-lists works with FQDN.

when i do show access-list the output show (unresolved) any (inactive)

 

ASA CODE is Cisco Adaptive Security Appliance Software Version 9.12(4)38

here is the configacl,asa,fqdnasa

 

dns domain-lookup LAN
DNS server-group DefaultDNS
name-server 208.67.222.123 OUTSIDE
name-server 208.67.220.123 OUTSIDE
name-server 1.1.1.1 OUTSIDE
name-server 1.0.0.1 OUTSIDE
name-server 192.168.0.19 LAN
domain-name lab.local

!

!

object network GOOGLE
fqdn v4 www.google.com

!

access-list PRUEBA extended permit ip object GOOGLE any

!

when i do:

ping www.google.com

ciscoasa# ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.78.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
ciscoasa#

as you can see work the resolution.

Thanks for the help.

 

Labels:
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎05-18-2022 01:28 PM - edited ‎05-18-2022 01:32 PM

does your rule should be not this

access-list PRUEBA extended permit ip any object GOOGLE

 

 

looking into your log entry issue seem to be with Unreachable DNS server. if DNS server is not reachable and the ASA is unable to resolve the IP of the FQDN then the ACL will be marked as ‘inactive’,

please do not forget to rate.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Sheraz.Salim
VIP
VIP

‎05-18-2022 01:28 PM - edited ‎05-18-2022 01:32 PM

does your rule should be not this

access-list PRUEBA extended permit ip any object GOOGLE

 

 

looking into your log entry issue seem to be with Unreachable DNS server. if DNS server is not reachable and the ASA is unable to resolve the IP of the FQDN then the ACL will be marked as ‘inactive’,

please do not forget to rate.
0 Helpful

Go to solution
Jhon Fredy Herrera Osorno
Level 1
Level 1
In response to Sheraz.Salim

‎05-18-2022 02:19 PM

Thanks, 

After after reading in depth, fqdn is not resolved until the access list is applied to an interface.

and i solve my needs with dynamic split tunnel according to this document 

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.6 - Configure VPN Access [Cisco AnyConnect Secure Mobility Client] - Cisco

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card