03-28-2022 12:40 AM
Dear Team,
FQDN ACLs on Firewalls are great.
IOS XE seems to support them, (there also fqdn objects that are available), but every time I am using ACL is not working.
Any input ?
03-28-2022 02:17 AM
check below thread for hints
https://community.cisco.com/t5/routing/acls-with-fqdn/td-p/1137431
03-28-2022 07:51 AM
can you share the FQDN ACL?
03-28-2022 11:30 AM
Dear Team,
I am trying to have ntp.org pools only used as the ntp session on my config.
object-group network DNS-ISP
description IPv4 ISP's Local DNS
host 10.19.140.1
!
object-group network DNS-UMBRELLA
description IPv4 Umbrella DNS
host 208.67.222.222
host 208.67.220.220
object-group network VALID-DNS
description Valid DNS servers
group-object DNS-UMBRELLA
group-object DNS-ISP
object-group fqdn NTP-POOL
description Valid NTP FQDN servers
pattern "gr\.pool\.ntp\.org"
pattern "nero\.grnet\.gr"
pattern "europe\.pool\.ntp\.org"
object-group service BOOTP
description BOOTP requests
udp eq bootpc
udp eq bootps
!
object-group service SSH
description SSH requests
tcp eq 22
!
object-group service DOMAIN
description DOMAIN requests
udp eq domain
tcp eq domain
!
object-group service NTP
description NTP requests
udp eq ntp
!
object-group service DENY-SERVICES
description Object is used to Deny Services
group-object BOOTP
group-object SSH
group-object DOMAIN
group-object NTP
object-group network Martian_prefixes
description All Martian and bogus prefixes
0.0.0.0 255.0.0.0
127.0.0.0 255.0.0.0
169.254.0.0 255.255.0.0
192.0.0.0 255.255.255.0
192.0.2.0 255.255.255.0
240.0.0.0 240.0.0.0
224.0.0.0 240.0.0.0
224.0.0.0 255.255.255.0
host 255.255.255.255
10.0.0.0 255.0.0.0
192.168.0.0 255.255.0.0
172.16.0.0 255.240.0.0
sh access-lists
Extended IP access list ACCL-IN
10 permit udp object-group VALID-DNS eq domain host 10.19.140.254
11 permit tcp object-group VALID-DNS eq domain host 10.19.140.254
30 permit udp fqdn-group NTP-POOL eq ntp any
40 deny object-group DENY-SERVICES any any
100 deny ip object-group Martian_prefixes any
99999 permit ip any any log-input
When this acl is used on 17.7.X I am getting an error message on the logs and acl is not applied.
Do any knows if this is an SD-WAN feature only ?
Regards
03-28-2022 12:57 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide