Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
3
Replies

ASA 5520 - name resolution

TGF_Cisco
Level 1
Level 1

‎05-29-2013 08:24 AM - edited ‎03-11-2019 06:50 PM

  I have a simple problem.. We have a pair of ASA  running 8.0 (old) version.

The way we create outbound rules is done through ASDM and when we need to open outbound connections to a server in the internet, we create named object with IP address configured manually.

But practically , this doesnt work, since  the server is a server name which can resolve to multiple addresses. Everytime the server chagnes its IP the ASA rule needs to be updated.

Is there a difference if we add rules through CMD prompt as against ASDM where we need to enter IP addresses?

Thanks for helping me out..

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎05-29-2013 08:30 AM

Hi,

I imagine that you mean you configure an "object-group network " for each rule you configure on the ASA?

Or are you referring to the "name x.x.x.x " which pairs an IP address with a "name" that will very commonly show up on the ASDM side?

Starting from software level 8.4(2) you are able to use a FQDN inside an "object network"  (object network was introduced in 8.3(1))and create rules based on names. For this to work you will also configure ASAs "outside" interface with  DNS Domain Lookup so that the ASA can resolve the DNS name to an IP address.

When the above is setup and working the ASA will actually update the ACL rule using the FQDN according to the DNS Domain Lookups it does regularly.

Though to my understanding this has its problems and flaws but just though I'd mention as you can build these rules in newer software compared to your 8.0 version.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-29-2013 08:34 AM

Here is a link to a document here on the CSC that has information about the thing I mentioned above

https://supportforums.cisco.com/docs/DOC-17014

- Jouni

0 Helpful

Karsten Iwen
VIP
VIP

‎05-29-2013 08:38 AM

The underlying function will be the same, regardless if you use CLI or ASDM. The only solution would be to upgrade to at least version 8.4 where you can use FQDNs in ACLs that are resolved to IP-addresses at runtime.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card