Solved: Re: Permitting traffic from entire domain

KBCISCO · ‎09-17-2011

Hi,On an ASA is it possible to permit traffic from the domain name rather than the IP subnet? For example, say I wanted to permit all SMTP traffic from Cisco.com to a server on my DMZ. Can this be done and if so how?

Thanks

Julio Carvajal · ‎09-17-2011

Hello Kristopher,

If you have 8.4(2) you can configure that using a new object into the ACL, this object it is goint to be fqdn. This is a new feature, Actually here is a document that will explain you how to perform this:

https://supportforums.cisco.com/docs/DOC-17014

I hope this help you.

Best Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎09-17-2011

Hello Kristopher,

If you have 8.4(2) you can configure that using a new object into the ACL, this object it is goint to be fqdn. This is a new feature, Actually here is a document that will explain you how to perform this:

https://supportforums.cisco.com/docs/DOC-17014

I hope this help you.

Best Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

KBCISCO · ‎09-18-2011

Thanks Julio,

Do you know if there a way to do this with earlier versions? Is it possible to create a regex for the domain and then inspect the inbound traffic and apply the access-list to all traffic that matches that domain?

Julio Carvajal · ‎09-18-2011

Hello Kristopher,

Unfortunetly this is a new implementation, a new feature that is available from version 8.4(2) so you are going to be able to used it on that version and prior.

About the Regex and inspection for the ACLs, no that is not possible. The only way to perform this action is with the FQDN.

Please let me know if you have any other question if not please mark this question as answered.

Hope you have a Great day.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC