cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5622
Views
5
Helpful
5
Replies

FWSM and ASA use of FQDN in ACL cached/real time lookup?

gspadden
Level 1
Level 1

I just learned that I can use a Fully Qualified Domain Name instead of just a IP address or address/netmask in a ACL in the FWSM and ASA product, but I would like to know how the details of this feature.

Does the lookup happen once and then all the IP addresses inserted into the ACL at compile time, so that would mean the dns list of name to IP address could get old.  Or does the firewall cache the answer and use for a time period and then refresh so the ACL has a more up to date list of name to IP addresses?

5 Replies 5

August Ritchie
Level 1
Level 1

As far as I know the only way for the ASA to block domain names is to use regular expressions. It looks in the http header for the domain name and depending on the parameters will block or deny the traffic. This is done via adjusting the http inspect. The regular expression is checked everytime a new flow is created, so no ACLs are updated. Here is an example.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Perhaps the FWSM acts differently though.

I am actually interested in the following:

access-list 101 permit ip any host host.domain.com

Is this possible, and if so when does the DNS lookup happen?  Runtime, compile time? Every packet through the firewall?

A bit of a thread I found:

https://supportforums.cisco.com/thread/206055.pdf;jsessionid=06A631EC6DC6A65BCF1FB17E4305670A.node0

As far as the ASA is concerned, this configuration is not possible.

Unfortunately, neither the ASA nor the FWSM can use domains in an ACL.

You can block HTTP to certain pages with http inspection as August said, but not using an ACL with domain name.

I hope it is clear now.

PK

Magnus Mortensen
Cisco Employee
Cisco Employee

Greg,

     Any hostnames in the ACLs are only referred when the configuration line is created. As pkampana noted, we can do a lot of things with the HTTP inspection engine on the ASA platform. Using some advanced regex expression you can create a rudementry URL filtering solution, but at a slight cost to HTTP performance (regex processing takes a lot of processing power ya know). If you would like to know more about the different functions you can do with HTTP on the ASA platform, I encourage you to check out the Tac Security Podcast at http://www.cisco.com/go/tacsecuritypodcast. In Episode 13, which should be up in the very near future, we discuss different advanced HTTP traffic filtering and inspection options that you can use on the ASA platform.

- Magnus

Review Cisco Networking for a $25 gift card