Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2406
Views
0
Helpful
8
Replies

FQDN access in ASA 5545

AnjaliRawat0713
Level 1
Level 1

‎11-01-2019 05:39 AM

We want to allow few clients machines to be able to connect directly to various subdomains (For eg :- xzy.com )

We need the firewall to allow clients to be able to connect to *.xzy.com domains names (rather than by IP address).
Is it possible in ASA 5545 version 9.1(7)4 

 

 

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎11-01-2019 06:13 AM

here is the good document to start with  :

 

https://community.cisco.com/t5/security-documents/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

AnjaliRawat0713
Level 1
Level 1
In response to balaji.bandi

‎11-03-2019 11:21 PM

Thank you for the response .

0 Helpful

AnjaliRawat0713
Level 1
Level 1
In response to balaji.bandi

‎11-05-2019 06:18 AM



The traffic flow I am looking is something below . Can you suggest regarding the NAT configuration when the DNS would resolve to different public IPs.


Client machine (multiple subnet) --> accessing FQDN (URL ) --> DNS would resolve those url's to public IP . 

 

0 Helpful

rdz586
Level 1
Level 1

‎11-05-2019 05:37 AM

Hi Anjali,

 

I am pretty sure that ASA's cannot do wildcard FQDN's and you would have to add each FQDN into an object-group separately.

 

If the destination network has a list of static public IP addresses that it uses then you could permit the IP address range instead.

0 Helpful

AnjaliRawat0713
Level 1
Level 1
In response to rdz586

‎11-05-2019 06:17 AM

Thankyou rdz586 for replying.

Yes wildcard is not supported. I need to define the FQDN into object group separately. The traffic flow I am looking is something below . Can you suggest regarding the NAT configuration when the DNS would resolve to different public IPs.


Client machine (multiple subnet) --> accessing FQDN (URL ) --> DNS would resolve those url's to public IP . 

 

 

0 Helpful

rdz586
Level 1
Level 1
In response to AnjaliRawat0713

‎11-05-2019 06:50 AM

I assume you do not have a default NAT rule and you only NAT the traffic which is allowed by your access rules.

 

You can use the object-group with the FQDN to NAT the taffic:-

 

nat (INSIDE,OUTSIDE) source static Source_Group interface destination static FQDN_Group FQDN_Group service Port_Group Port_Group

 

The ports are optional if you only wanted certain traffic to be NAT'd out to the internet.

 

Hopefully I have understood your need and this helps out, please let me know if not.

0 Helpful

AnjaliRawat0713
Level 1
Level 1
In response to rdz586

‎11-05-2019 11:23 PM

Thankyou rdz586 for the quick response.
We can onfigure FQDNs inside the objects but can't use them in a nat configuration, the ASA won't let you do it. It will even tell you that it's not supported .


Also regarding NAT part , dynamic PAT is being used for the inside interface.

 

object network inside_net_a.b.c.d
nat (inside,outside) dynamic interface 

Can you now please suggest about the configuration part now. 



0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to AnjaliRawat0713

‎11-05-2019 12:14 PM

yes you need to have DNS server to resolve basic start with for FQDN to work, yes *.bb.com not going to work. you need to have cisco.bb.com for resolution.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card