Allowing a dyn dns to my access list

Locayta123 · ‎02-11-2014

Hi all.

I allow a remote user access to our network based on his static ip which he is about to loose. We have configured a dyn dns address for his changing public IP that i would like to add to our cisco.

Looking at ASDM how is it possible to allow a dyn dns address to the access list and for the ASA to update accordingly?

Thanks.

Jouni Forss · ‎02-11-2014

Hi,

If you have ASA running 8.4(2) or newer software you can use FQDN in the ACL rules to allow connections based on the DNS name rather than the IP address

In this setup you will have to

Configure DNS servers that the ASA can use to make DNS queries
Enable DNS lookups on the ASAs interface through which the DNS queries should be sent
Configure an "object network " and "fqdn customer.dnsname.com"
Use the created "object" in the ACL rule

Example configuration could be for example (unless I remember something wrong)

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

object network GOOGLE

fqdn www.google.com

access-list OUTSIDE-IN permit tcp object GOOGLE host eq 80

access-group OUTSIDE-IN in interface outside

So I would imagine that if your software is not the above mentioned or newer you wont be able to allow connections according to FQDN.

Hope this helps

- Jouni

Locayta123 · ‎02-11-2014

Great post, thanks for the detail.

I'm currently running:

Cisco Adaptive Security Appliance Software Version 7.2(5)

Device Manager Version 5.2(5)

WIll i need to upgrade my appliance for this to work?

jpeterson6 · ‎02-12-2014

Yes, but upgrading to 8.4(2) will, unfortunately, change a lot of your configurations related to NAT in particular.

Reference this document to get a heads-up on what else will be required.

https://supportforums.cisco.com/docs/DOC-12690

An alternative and arguably better solution to your problem is just creating a Remote Access VPN for him on the ASA, then his IP won't matter, unless I am misunderstanding how this person connects.