05-13-2011 09:36 AM - edited 03-11-2019 01:33 PM
Hi,
Hopefully a simple question "can you use hostnames in FWSM ACLs to be resolved by DNS instead of fixed IPs?", i.e. for internet-based resources where the global IP is subject to change without notice?
If so, can anyone point me in the direction of a configuration example?
Thanks in advance
Matthew (bgfl-tech)
Solved! Go to Solution.
05-13-2011 09:48 AM
Hi Matthew
Sorry.. no you can't do this directly without the use of a 3rd party plugin such as Websense.
There is a sort of workaround using regular expressions coupled to a service policy, but it's pretty unfriendly to configure, and pretty easy to circumvent. Regular expressions are case sensitive, meaning that you need to define each combination of lower and upper case characters in a URL for this to match all possible options.
let me know if you want an example of this.
HTH. Barry
05-13-2011 09:48 AM
Hi Matthew
Sorry.. no you can't do this directly without the use of a 3rd party plugin such as Websense.
There is a sort of workaround using regular expressions coupled to a service policy, but it's pretty unfriendly to configure, and pretty easy to circumvent. Regular expressions are case sensitive, meaning that you need to define each combination of lower and upper case characters in a URL for this to match all possible options.
let me know if you want an example of this.
HTH. Barry
05-16-2011 02:42 AM
Hi Barry,
Thank you for you reply. I think I'm correct that the Websense and N2H2 FWSM support is for URL filtering at a firewall level(?). I'm just looking to be able to use an external hostname in an access-list instead of having to reference a large external network range as the maintainer of the external service (Microsoft in this instance) can't provide a specific global IP address (or even several specific IP addresses) and has stated that the IPs behind the hostname could change at any time.
We've got our own DNS servers and I thought it would just be a case of configuring the FWSM to use them. Back to the drawing board ;o)
05-17-2011 03:57 AM
Just for anyone that's interested I've been advised by Cisco that DNS FQDN support in ACLs in not part of the FWSM feature roadmap but apparently will be a future feature of the new ASA Service Module (Cat6k blade like FWSM). More info on the ASA-SM is available here: Product page - http://www.cisco.com/en/US/products/ps11621/index.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide