My goal is to configure Cisco IOS to act as a filter for what website destinations will and will not be accessible by internal clients.
The problem is that when entering an extended access list using a hostname you get the following:
CZX800#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CZX800(config)#ip access-list extended WHITELIST
CZX800(config-ext-nacl)#permit ip 10.200.200.0 0.0.0.255 host www.mysimon.com
Translating "www.mysimon.com"...domain server (255.255.255.255) [OK]
DNS translates the name to an IP Address.
Then, if I show my config, you can see the following lines:
ip access-list extended WHITELIST
permit ip 10.200.200.0 0.0.0.255 host 64.30.224.38
IOS converted the hostname to a permanent static IP
The problem is that many websites have changing IP addresses, especially those of large national businesses. If the IP address were to change, the above ACL would not allow access to their website.
I have several clients who do not want open internet access at certain sites (an increasing trend), but they want the users to have access to a specified list of resources on the internet. I also have a client who has asked me to implement parental control, so that by default only certain websites would be accessible from a specified VLAN, while on other VLAN's internet is wide open.
I am currently using DD-WRT for this solution. The Linux firmware does a dns lookup when the firewall script is run. If any IP addresses have changed, they are updated at this point. I am able to set CRON to do these updates frequently. This solution actually works very well, but I hate to rely on Linksys routers and DD-WRT firmware which may or may not be secure depending on the build and the builder! I would like the exact same results using Cisco IOS.
Any help or ideas would be appreciated.