cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1899
Views
0
Helpful
4
Replies

Extended access-list error using FQDN

michellp
Level 1
Level 1

Hi,

I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host.

For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.

This is how I normally add these rules (the ip addresses are fictive):

access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log

When I try to add this using the hostname on our asa I get an error:

access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com  ?
ERROR: % Unrecognized command

I've tried it without the 'www', so hostname.com but same error.

How can I solve this?

Thanks in advance for your time and help

Regards,

2 Accepted Solutions

Accepted Solutions

Hi,

As far I can remember and experienced Cisco ASA does not allow you to configure access-list using hostname , access-list can only have ip-address and ports.

HTH

Sent from Cisco Technical Support iPad App

View solution in original post

zulqurnain is correct, you cannot add a hostname to an ACL it has to be an IP address. The only way to filter traffic is by adding the IP address and ports of  hostename.com to the ACL.

View solution in original post

4 Replies 4

michellp
Level 1
Level 1

By the way, creating an object-group or network-object, gives the same result, error.

Hi,

As far I can remember and experienced Cisco ASA does not allow you to configure access-list using hostname , access-list can only have ip-address and ports.

HTH

Sent from Cisco Technical Support iPad App

@zulqurnain

Thanks for your reply. Indeed the asa does not allow me to use a hostname. The question is, how can I still make this work without going for 'any' or adding all the possible ip's it might translate too.

zulqurnain is correct, you cannot add a hostname to an ACL it has to be an IP address. The only way to filter traffic is by adding the IP address and ports of  hostename.com to the ACL.

Review Cisco Networking for a $25 gift card