11-13-2013 01:17 PM - edited 03-11-2019 08:04 PM
Hello,
2 things if I may.
I have upgraded our ASA 5520 from 8.2 > 8.4 > 9.1.3 and I was wondering if I can now create rules where the destination can be a FQDNs rather than an IP? We have some hosted clusters in the 'Cloud' and using a FQND would make life much easier as they keep changing the IP's in the cluster, if so how?
Also I now notice ACLs can have users assigned to them, what is this feature all about?
Thanks
11-13-2013 01:33 PM
Hi,
Yes, you can use FQDN in the ACLs.
First you will need to enable the ASA to do DNS lookups so it can dynamically learn the correct public IP address corresponding to the FQDN in the ACL.
Example configuration from my ASA
dns domain-lookup WAN
DNS server-group DefaultDNS
name-server 8.8.8.8
object network GOOGLE
fqdn www.google.com
access-list LAN-IN extended permit ip any object GOOGLE
When we look at the ACL we see this (in my case)
ASA# sh access-list LAN-IN
access-list LAN-IN; 19 elements; name hash: 0xefdd5a99
access-list LAN-IN line 1 extended permit ip any object GOOGLE 0x585b04df
access-list LAN-IN line 1 extended permit ip any fqdn www.google.com (resolved) 0x4cd6ac30
access-list LAN-IN line 1 extended permit ip any host 109.232.83.91 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.106 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.90 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.95 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.123 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.112 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.102 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.99 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.110 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.84 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.113 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.121 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.101 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.117 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.80 (www.google.com) (hitcnt=0) 0x585b04df
access-list LAN-IN line 1 extended permit ip any host 109.232.83.88 (www.google.com) (hitcnt=0) 0x585b04df
You can then also use these commands to show some DNS information that the ASA has received
show dns
show dns-hosts
Output of one of the above commands
ASA# show dns-hosts
Host Flags Age Type Address(es)
www.google.com (temp, OK) 0 IP 109.232.83.91 109.232.83.106
109.232.83.90 109.232.83.95
109.232.83.123 109.232.83.112
109.232.83.102 109.232.83.99
109.232.83.110 109.232.83.84
109.232.83.113 109.232.83.121
109.232.83.101 109.232.83.117
109.232.83.80 109.232.83.88
It is totally different matter how well this works. Generally people ask it to block something which in some cases doesnt necesarily work 100%
Have a look this document about the same subject
https://supportforums.cisco.com/docs/DOC-17014
With regards to your second question I can't really give a good answer. Its related to the concept of Identity Firewall. Essentially you will integrate the ASA with AD through the use of AD agent which enables you to build the ACL rules based on the users identity.
I have not really tested or configured this ever so I can't really comment on it. Probably something I will lab eventually
Have a look at this document
https://supportforums.cisco.com/docs/DOC-20366
You could also check the Configuration Guide section of Identity Firewall for more information
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/aaa_idfw.html
Hope this helps
- Jouni
11-21-2013 06:09 AM
Hi,
Sorry for the delay. Let me try this now and let you know you know the results!
11-21-2013 06:26 AM
Hi,
It seems we already had this:
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.21.10 (Internal DNS server)
name-server 192.168.21.11 (Internal DNS server)
domain-name gb.cn.local (Internal DNS server)
But I get this:
sh dns
INFO: no activated FQDN
I'm not sure if would use our internal DNS servers to resolve FQDNs, do I need to remove the 2 DNS servers and add say Google (8.8.8.8)?
11-21-2013 11:04 AM
Hi,
Did you use any "object network" using a FQDN in any ACL?
Though I am not sure if the message means if the ASA has resolved any FQDNs yet.
You could try for example
ping www.google.com
And see if the ASA rejects it or will it resolve the DNS to IP.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide