Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2135
Views
0
Helpful
4
Replies

Extended access-list error using FQDN

Go to solution
michellp
Level 1
Level 1

‎11-07-2011 12:03 AM - edited ‎03-11-2019 02:46 PM

Hi,

I'm trying to add an access-list rule to allow internal servers to connect an outside host on a asa 5540. The hostname translates to multiple ip's. Normally I just lookup the ip address or one of the ip's the hostname translates too and use that in the access-list as the host.

For some reason the actual ip's, which are a few, are not always available so using a specific ip sometimes does not work, thus the reason I have to use the hostname instead of the ip. I have 2 hostnames. www.hostname.com and subdomain.hostname.com.

This is how I normally add these rules (the ip addresses are fictive):

access-list internet_access extended permit tcp host 192.168.50.5 host 84.115.57.121 eq www log

When I try to add this using the hostname on our asa I get an error:

access-list internet_access extended permit tcp host 192.168.50.5 host www.hostname.com  ?
ERROR: % Unrecognized command

I've tried it without the 'www', so hostname.com but same error.

How can I solve this?

Thanks in advance for your time and help

Regards,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
zulqurnain
Level 3
Level 3
In response to michellp

‎11-07-2011 02:48 AM

Hi,

As far I can remember and experienced Cisco ASA does not allow you to configure access-list using hostname , access-list can only have ip-address and ports.

HTH

Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful

Go to solution
chris baranowski
Level 1
Level 1
In response to michellp

‎11-07-2011 12:45 PM

zulqurnain is correct, you cannot add a hostname to an ACL it has to be an IP address. The only way to filter traffic is by adding the IP address and ports of  hostename.com to the ACL.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
michellp
Level 1
Level 1

‎11-07-2011 12:18 AM

By the way, creating an object-group or network-object, gives the same result, error.

0 Helpful

Go to solution
zulqurnain
Level 3
Level 3
In response to michellp

‎11-07-2011 02:48 AM

Hi,

As far I can remember and experienced Cisco ASA does not allow you to configure access-list using hostname , access-list can only have ip-address and ports.

HTH

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
michellp
Level 1
Level 1
In response to zulqurnain

‎11-07-2011 04:31 AM

@zulqurnain

Thanks for your reply. Indeed the asa does not allow me to use a hostname. The question is, how can I still make this work without going for 'any' or adding all the possible ip's it might translate too.

0 Helpful

Go to solution
chris baranowski
Level 1
Level 1
In response to michellp

‎11-07-2011 12:45 PM

zulqurnain is correct, you cannot add a hostname to an ACL it has to be an IP address. The only way to filter traffic is by adding the IP address and ports of  hostename.com to the ACL.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card