cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2763
Views
0
Helpful
4
Replies

Can ASA have ACLs with FQDNs?

Andy White
Level 3
Level 3

Hello,

2 things if I may.

I have upgraded our ASA 5520 from 8.2 > 8.4 > 9.1.3 and I was wondering if I can now create rules where the destination can be a FQDNs rather than an IP?  We have some hosted clusters in the 'Cloud' and using a FQND would make life much easier as they keep changing the IP's in the cluster, if so how?

Also I now notice ACLs can have users assigned to them, what is this feature all about?

Thanks

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Yes, you can use FQDN in the ACLs.

First you will need to enable the ASA to do DNS lookups so it can dynamically learn the correct public IP address corresponding to the FQDN in the ACL.

Example configuration from my ASA

dns domain-lookup WAN

DNS server-group DefaultDNS

    name-server 8.8.8.8

object network GOOGLE

fqdn www.google.com

access-list LAN-IN extended permit ip any object GOOGLE


When we look at the ACL we see this (in my case)

ASA# sh access-list LAN-IN

access-list LAN-IN; 19 elements; name hash: 0xefdd5a99

access-list LAN-IN line 1 extended permit ip any object GOOGLE 0x585b04df

  access-list LAN-IN line 1 extended permit ip any fqdn www.google.com (resolved) 0x4cd6ac30

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.91 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.106 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.90 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.95 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.123 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.112 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.102 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.99 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.110 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.84 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.113 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.121 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.101 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.117 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.80 (www.google.com) (hitcnt=0) 0x585b04df

  access-list LAN-IN line 1 extended permit ip any host 109.232.83.88 (www.google.com) (hitcnt=0) 0x585b04df

You can then also use these commands to show some DNS information that the ASA has received

show dns

show dns-hosts

Output of one of the above commands

ASA# show dns-hosts

Host                     Flags      Age Type   Address(es)

www.google.com           (temp, OK) 0    IP    109.232.83.91  109.232.83.106

                                               109.232.83.90  109.232.83.95

                                               109.232.83.123  109.232.83.112

                                               109.232.83.102  109.232.83.99

                                               109.232.83.110  109.232.83.84

                                               109.232.83.113  109.232.83.121

                                               109.232.83.101  109.232.83.117

                                               109.232.83.80  109.232.83.88

It is totally different matter how well this works. Generally people ask it to block something which in some cases doesnt necesarily work 100%

Have a look this document about the same subject

https://supportforums.cisco.com/docs/DOC-17014

With regards to your second question I can't really give a good answer. Its related to the concept of Identity Firewall. Essentially you will integrate the ASA with AD through the use of AD agent which enables you to build the ACL rules based on the users identity.

I have not really tested or configured this ever so I can't really comment on it. Probably something I will lab eventually

Have a look at this document

https://supportforums.cisco.com/docs/DOC-20366

You could also check the Configuration Guide section of Identity Firewall for more information

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/aaa_idfw.html

Hope this helps

- Jouni

Hi,

Sorry for the delay.  Let me try this now and let you know you know the results!

Hi,

It seems we already had this:

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.21.10 (Internal DNS server)

name-server 192.168.21.11 (Internal DNS server)

domain-name gb.cn.local (Internal DNS server)

But I get this:

sh dns

INFO: no activated FQDN

I'm not sure if would use our internal DNS servers to resolve FQDNs, do I need to remove the 2 DNS servers and add say Google (8.8.8.8)?

Hi,

Did you use any "object network" using a FQDN in any ACL?

Though I am not sure if the message means if the ASA has resolved any FQDNs yet.

You could try for example

ping www.google.com

And see if the ASA rejects it or will it resolve the DNS to IP.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: