Re: Question on ACL config.

incognito_54 · ‎10-16-2008

Hello's

I have an ACL question. I'm trying to set up an acl that will restrict 1 computer to accessing ONLY a website such as UPS.com. On doing an nslookup or Whois for ups.com I find www.ups.com answers to these IP addresses. 153.2.224.50

153.2.228.50

However, browsing to UPS.com does not necessarily connect to these IP addresses. It seems UPS.com is using some load balancing feature where it (ups.com) could resolve to several different IP's hosted it seems by akamai.

What is the best way to establish this lock down? Machine should only get to ups.com, however, UPS.com is not easily resolvable.

thanks

Sky.

Giuseppe Larosa · ‎10-16-2008

Hello Sky,

have a look at this thread that treats ACL using FQDN instead of ip addresses

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc20d31

Hope to help

Giuseppe

incognito_54 · ‎10-16-2008

Thanks for your quick response. I'll check out the url.

Sky

incognito_54 · ‎10-17-2008

Hello,

I looked at the url and had a couple of follow up questions.

I'm wondering how the ip domain lookup would work in my scenario. If the user requests www.ups.com his computer will resolve the fqdn to whatever response the dns server hands back, which could be different each time the user visits ups.com

Even if i have enabled ip domain lookup and used the FQDN in the access list how would this help my situation? If the router does a lookup for www.ups.com, the router too may get a different IP address for ups.com than the user.

Does the question make sense?