ASA and FQDN?

ggriebel · ‎03-24-2008

I've been tasked with converting a Netscreeen fw to ASA 5520. All is well except for some of the fw policy where they have used fqdn for a host in the "untrust" portion of the policy. On the netscreen, you can configure a dns server and it will go out and resolve these fqdn's. Does the ASA allow for something like this? I've looked through the cmd reference, etc and haven't found it.

greg

allanc_16 · ‎03-24-2008

I just found this link:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/ef_72.html#wp1763243

Hope this helps

ggriebel · ‎03-24-2008

sorry doesn't apply.

I'm asking about the ability to use a fqdn either directly in an access-list (aka policy statement) or a network-object that can be used in an access-list.

cisco24x7 · ‎03-24-2008

Hi ggriebel,

If I am not mistaken, what you're trying to do

here is to use what to refer in checkpoint

or Juniper/Netscreen as "domain" objects. In

other words, you specify the domain object as,

for example, ".yahoo.com" and take this object

and apply to either source or the destination.

Furthermore, sometime you want to "negate"

the object as well.

Those features have been widely available

with Checkpoint and Juniper firewalls. Cisco

Pix/ASA does not support that function.

CCIE Security

ggriebel · ‎03-25-2008

It can also be done on Fortigates. I didn't think it's available on the ASA, that's why I was questioning.

thanks.

pratheesh.venu · ‎01-23-2013

Hi,

I want to follow up on this thread to see if Cisco has made any update on this - Access policy using FQDN instead of hard coded IP address?

I have seen couple of options based on my research.

MPF with http class -- > this is not good enough as https or non http traffic will net be qualified.

Identity ware firewall policy using DNS--> Is this applicable to 8.2 release

REgards

PRatheesh