ASA (PIX 7.0) Acess-lists using DNS ???

brooks-el · ‎06-29-2005

Can you, in any way, create an access-list that will first resolve domain names before processing?

I don't think you can, but it would be nice if you could have the PIX (ASA) appliance cache DNS entries for name resolution, allowing you to create dynamic ACL's based on FQDN and other internal DNS names.

I have had a number of requests to create ACL's based on names created in local DNS on enterprise networks. It would be nice to have the ability to quirey an internal DNS server for name resolution that then gets cashed for ACL's and such....similar to the "names" command, but more dynamic, use DNS instead of static entries.

gfullage · ‎07-03-2005

Sorry for the delay in responding.

PIX 7.0 does NOT do this unfortunately. I'm not aware of any works in progress to have it do this either, as it could be a security risk where if someone could change your DNS server entry (and there's plenty of hacks to do that), then they can effectively change the access permissions on your firewall.

brooks-el · ‎07-04-2005

I understand the concern, i guess since i was thinking about using it for outbound traffic (in interface inside) that the risk would be minimal. The whole reason I was curious about this is, i have number of customers that want to be able to give WWW access to specific web sites (for business use) but don't have the need for a content management app like WebSense. They just want to be able to say "Group A can go to canada411.com" and thats it.

Thanks for the response.