Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
900
Views
0
Helpful
3
Replies

Can you use hostnames in FWSM ACLs to be resolved by DNS instead of fixed IPs?

Go to solution
bgfl-tech
Level 1
Level 1

‎05-13-2011 09:36 AM - edited ‎03-11-2019 01:33 PM

Hi,

Hopefully a simple question "can you use hostnames in FWSM ACLs to be resolved by DNS instead of fixed IPs?", i.e. for internet-based resources where the global IP is subject to change without notice?

If so, can anyone point me in the direction of a configuration example?

Thanks in advance

Matthew (bgfl-tech)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
barry
Level 7
Level 7

‎05-13-2011 09:48 AM

Hi Matthew

Sorry.. no you can't do this directly without the use of a 3rd party plugin such as Websense.

There is a sort of workaround using regular expressions coupled to a service policy, but it's pretty unfriendly to configure, and pretty easy to circumvent. Regular expressions are case sensitive, meaning that you need to define each combination of lower and upper case characters in a URL for this to match all possible options.

let me know if you want an example of this.

HTH. Barry

View solution in original post

0 Helpful
3 Replies 3

Go to solution
barry
Level 7
Level 7

‎05-13-2011 09:48 AM

Hi Matthew

Sorry.. no you can't do this directly without the use of a 3rd party plugin such as Websense.

There is a sort of workaround using regular expressions coupled to a service policy, but it's pretty unfriendly to configure, and pretty easy to circumvent. Regular expressions are case sensitive, meaning that you need to define each combination of lower and upper case characters in a URL for this to match all possible options.

let me know if you want an example of this.

HTH. Barry

0 Helpful

Go to solution
bgfl-tech
Level 1
Level 1
In response to barry

‎05-16-2011 02:42 AM

Hi Barry,

Thank you for you reply. I think I'm correct that the Websense and N2H2 FWSM support is for URL filtering at a firewall level(?). I'm just looking to be able to use an external hostname in an access-list instead of having to reference a large external network range as the maintainer of the external service (Microsoft in this instance) can't provide a specific global IP address (or even several specific IP addresses) and has stated that the IPs behind the hostname could change at any time.

We've got our own DNS servers and I thought it would just be a case of configuring the FWSM to use them. Back to the drawing board ;o)

0 Helpful

Go to solution
bgfl-tech
Level 1
Level 1
In response to bgfl-tech

‎05-17-2011 03:57 AM

Just for anyone that's interested I've been advised by Cisco that DNS FQDN support in ACLs in not part of the FWSM feature roadmap but apparently will be a future feature of the new ASA Service Module (Cat6k blade like FWSM). More info on the ASA-SM is available here: Product page - http://www.cisco.com/en/US/products/ps11621/index.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card