Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2839
Views
0
Helpful
4
Replies

Access-list on using DNS domain name instead of IP?

news2010a
Level 3
Level 3

‎04-20-2007 08:30 AM - edited ‎03-03-2019 04:38 PM

Hi, can you help me with this one?

Imagine I need to let a couple of Symantec security appliances (internal network) communicate on port 443 TCP to domains listed below. In my experience, I should do this based on the respective domain names (as shown below, since IP addresses change without warning).

Can someone tell me what should I consider in order to do access-lists based on domain name? Is the below correct:

.#access-list 101 permit tcp <ip_address_appliance> 0.0.0.0 swupdate.brightmail.com eq 443

swupdate.brightmail.com

register.brightmail.com

aztec.brightmail.com

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎04-20-2007 08:40 AM

You can create ACL's with DNS names. You can do it with static names. For example-

name swupdate.brightmail.com 216.250.16.26

Then the following would work until brightmail changed the IP.

access-list 101 permit tcp 0.0.0.0 swupdate.brightmail.com eq 443

HTH and please rate.

0 Helpful

news2010a
Level 3
Level 3
In response to Collin Clark

‎04-20-2007 08:59 AM

Hmmm... is this considered a limitation on the Cisco IOS? I mean, isn't that bad that there is no way for the router to resolve swupdate.brightmail.com on its own?

Just curious. I configured this before on other firewall appliances if I recall correctly I was able to input the DNS domain names without need to hardcode the IP address.

Also, what happens if I have 2 or more IP addresses associated with 'swupdate.brightmail.com' ? For example, should I just do?

#name swupdate.brightmail.com 216.250.16.26

#name swupdate.brightmail.com 216.250.16.27

Thanks a lot for your help!

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to news2010a

‎04-20-2007 09:17 AM

First off I assumed you had a PIX, so the name command is incorrect! In IOS you can create an IP Host, but I don't think you can use that name in an ACL. I agree that it should be able to do it, but for some reason Cisco doesn't think its important. In a PIX if you tray and use the same twice it kicks back an error saying the name is laready in use. On IOS, it replaces the first one with the second one (no error).

0 Helpful

news2010a
Level 3
Level 3
In response to Collin Clark

‎04-20-2007 09:55 PM

You guys are ruling. Thanks Much !!

0 Helpful
Customers Also Viewed These Support Documents
Top