Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1240
Views
0
Helpful
1
Replies

Dynamic object-group update - ASA

mbaker33
Level 1
Level 1

‎05-09-2018 07:13 AM - edited ‎02-21-2020 07:44 AM

I am working on a project where an ACL will have a set of revolving IPs (not often, but from time to time a new node will be added/removed in a cluster that needs access into my network) and I have been provided with a URL to an XML document containing these IPs.  

 

I can write a script that will allow me to check if the XML is updated and alert me to that, however, if this occurs at 2 am, there is little chance that I am aware until the morning comes.  I am hoping there is a way to be more proactive, and allow the ASA to monitor this URL and update the object-group accordingly.

 

Any guidance would be appreciated.

 

Thanks,

 

Mark

Labels:
0 Helpful
1 Reply 1

Florin Barhala
Level 6
Level 6

‎05-10-2018 01:09 AM

Here're my thoughts:
- you add a firewall rule using FQDNs registered to your local DNS server; let's say you use now 5 IPs. You make sure you add more FQDNs in the firewall rule.
- then you bind the IP to the FQDNs and whenever the IP changes you just update the DNS server then ASA will grant access without you needing to update ASA config.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card