Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5624
Views
5
Helpful
5
Replies

FWSM and ASA use of FQDN in ACL cached/real time lookup?

gspadden
Level 1
Level 1

‎07-23-2010 10:53 AM - edited ‎03-11-2019 11:15 AM

I just learned that I can use a Fully Qualified Domain Name instead of just a IP address or address/netmask in a ACL in the FWSM and ASA product, but I would like to know how the details of this feature.

Does the lookup happen once and then all the IP addresses inserted into the ACL at compile time, so that would mean the dns list of name to IP address could get old.  Or does the firewall cache the answer and use for a time period and then refresh so the ACL has a more up to date list of name to IP addresses?

Labels:
0 Helpful
5 Replies 5

August Ritchie
Level 1
Level 1

‎07-23-2010 11:54 AM

As far as I know the only way for the ASA to block domain names is to use regular expressions. It looks in the http header for the domain name and depending on the parameters will block or deny the traffic. This is done via adjusting the http inspect. The regular expression is checked everytime a new flow is created, so no ACLs are updated. Here is an example.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Perhaps the FWSM acts differently though.

0 Helpful

gspadden
Level 1
Level 1
In response to August Ritchie

‎07-23-2010 11:59 AM

I am actually interested in the following:

access-list 101 permit ip any host host.domain.com

Is this possible, and if so when does the DNS lookup happen?  Runtime, compile time? Every packet through the firewall?

A bit of a thread I found:

https://supportforums.cisco.com/thread/206055.pdf;jsessionid=06A631EC6DC6A65BCF1FB17E4305670A.node0

0 Helpful

August Ritchie
Level 1
Level 1
In response to gspadden

‎07-23-2010 12:03 PM

As far as the ASA is concerned, this configuration is not possible.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to August Ritchie

‎07-23-2010 06:02 PM

Unfortunately, neither the ASA nor the FWSM can use domains in an ACL.

You can block HTTP to certain pages with http inspection as August said, but not using an ACL with domain name.

I hope it is clear now.

PK

0 Helpful

Magnus Mortensen
Cisco Employee
Cisco Employee

‎07-23-2010 06:08 PM

Greg,

     Any hostnames in the ACLs are only referred when the configuration line is created. As pkampana noted, we can do a lot of things with the HTTP inspection engine on the ASA platform. Using some advanced regex expression you can create a rudementry URL filtering solution, but at a slight cost to HTTP performance (regex processing takes a lot of processing power ya know). If you would like to know more about the different functions you can do with HTTP on the ASA platform, I encourage you to check out the Tac Security Podcast at http://www.cisco.com/go/tacsecuritypodcast. In Episode 13, which should be up in the very near future, we discuss different advanced HTTP traffic filtering and inspection options that you can use on the ASA platform.

- Magnus

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card