cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2205
Views
3
Helpful
5
Replies

FQDN Network Object on ASA-SM 8.5(1)

francoisverges
Level 1
Level 1

Hey erveyone,

I have an ASA Services Module in a Catalyst Switch with the 8.5(1) version installed on which I am not able to create FQDN Network object :

ASA-SM(config)# object network www.cisco.com

ASA-SM(config-network-object)# ?

  description           Specify description text

  help                      Help for network object configuration commands

  host                      Enter this keyword to specify a single host object

  nat                        Enable NAT on a singleton object

  no                         Remove an object or description from object

  range                    Enter this keyword to specify a range

  subnet                  Enter this keyword to specify a subnet

I also have a ASA 5585 with a 8.4(2) IOS version installed on which I am able to create this kind of objects:

ASA-5582(config)# object network www.cisco.com

ASA-5585(config-network-object)# ?

  description           Specify description text

  fqdn                      Enter this keyword to specify an FQDN

  help                      Help for network object configuration commands

  host                      Enter this keyword to specify a single host object

  nat                        Enable NAT on a singleton object

  no                         Remove an object or description from object

  range                    Enter this keyword to specify a range

  subnet                  Enter this keyword to specify a subnet

Is this kind of object not supported by this IOS 8.5(1) version ? Is it going to be available on the next release ?

Thank you very much !

1 Accepted Solution

Accepted Solutions

Hello,

Actually the FQDN was add it on 8.4.2 as you can see here:

https://supportforums.cisco.com/docs/DOC-17014

We have seen some cases regarding this particular request, so it will definetly cover that on the future

Hope I coudl help.

Remembe to rate all of the helpful posts ( if you do not know how to rate a post just go to each reply and on the bottom mark a star ( from 1 to 5) 1 being bad 5 being a great answer)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Francois,

Check the following link
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn85.html#wp71365

New Features in Version 8.5(1)

Features added in 8.4(2) are not included in 8.5(1) unless they are explicitly listed in this table.


Table 3     New Features forASA Version 8.5(1)

Feature

Description

Hardware Features

Support for the ASA Services Module

We introduced support for the ASASM for the Cisco Catalyst 6500 E switch.

Firewall Features

Mixed firewall mode support in multiple context mode

You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode.

We modified the following command: firewall transparent.

Interface Features

Automatic MAC address generation is now enabled by default in multiple context mode

Automatic generation of MAC addresses is now enabled by default in multiple context mode.

We modified the following command: mac address auto.

NAT Features

Identity NAT configurable proxy ARP and route lookup

In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. Theunidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp androute-lookup keywords, to maintain existing functionality. The unidirectionalkeyword is removed.

We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).

Also available in Version 8.4(2).

PAT pool and round robin address assignment

You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.

Note Currently in 8.5(1), the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT (CSCtq20634).

We modifed the following commands: nat dynamic [pat-pool mapped_object[round-robin]] (object network) and nat source dynamic [pat-poolmapped_object [round-robin]] (global).

Also available in Version 8.4(2).

Switch Integration Features

Autostate

The switch supervisor engine can send autostate messages to the ASASM about the status of physical interfaces associated with ASA VLANs. For example, when all physical interfaces associated with a VLAN go down, the autostate message tells the ASA that the VLAN is down. This information lets the ASA declare the VLAN as down, bypassing the interface monitoring tests normally required for determining which side suffered a link failure. Autostate messaging provides a dramatic improvement in the time the ASA takes to detect a link failure (a few milliseconds as compared to up to 45 seconds without autostate support).

Note The switch supports autostate messaging only if you install a single ASA in the chassis.

See the following Cisco IOS command: firewall autostate.

Virtual Switching System

The ASASM supports VSS when configured on the switches. No ASA configuration is required.

So the answer is no, it's no supported

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hey Julio,

Thank you for your answer. It is too bad. Do you know if Cisco is going to add this feature in the next 8.5(x) release ?

I have seen that the fqdn network object were introduced in the 8.3(1) version : http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp460665 (Table 7 - New Features for ASA Version 8.3(1))

Is is not supposed to be there in the 8.5(1) version ?

Thank you !

Hello,

Actually the FQDN was add it on 8.4.2 as you can see here:

https://supportforums.cisco.com/docs/DOC-17014

We have seen some cases regarding this particular request, so it will definetly cover that on the future

Hope I coudl help.

Remembe to rate all of the helpful posts ( if you do not know how to rate a post just go to each reply and on the bottom mark a star ( from 1 to 5) 1 being bad 5 being a great answer)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you Julio,

I will definitely rate your answers !

Hello Francois,

My pleasure, if you do not need something else please mark the question as answered,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: