Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1135
Views
0
Helpful
4
Replies

FQDN ACL Issues

richard.priest
Level 1
Level 1

‎01-30-2020 02:02 PM

Hi,

 

I've a client that wants to restrict a FQDN address to only a few specific IP addresses, however a different FQDN (which sits on the exact same IP address), should be open to all.

 

I have my ASA (5508-x on 9.6(4)34) setup with a dns name-server and it can ping the hostnames as you'd expect.

 

the ACL's are set as follows in a test enviroment, I've sanitised the config:

access-list Test_Enviroment_access_in_1 line 1 extended deny tcp host 10.44.126.218 fqdn xxxxxxx.uk (resolved) eq https 0xab613664
access-list Test_Enviroment_access_in_1 line 1 extended deny tcp host 10.44.126.218 fqdn yyyyyyy.uk (resolved) eq https 0x3b6c2798
access-list Test_Enviroment_access_in_1 line 1 extended deny tcp host 10.44.126.218 fqdn zzzzzzz.uk (resolved) eq https 0x668d1461
access-list Test_Enviroment_access_in_1 line 2 extended permit tcp host 10.44.126.218 fqdn bbbbbb.nhs.uk (resolved) eq https 0x2dffa068

 

However when set like this my test PC is unable to access the site on the permitted statement, If I change the other deny statements to allow my traffic gets though.

 

Why isn't this working, I'm sure I've done something wrong but can't put a finger on what it is!!

 

Cheers

 

Richard

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎01-30-2020 08:35 PM

Caveats:  Multiple FQDN`s

As you will be aware multiple FQDN`s can reside on a single IP. Meaning that, though you may permit abc.com as xyz.com also resolves to the same IP. You are not only permitting access to abc.com but also xyz.com.

 

here is the reference  guide :

 

https://community.cisco.com/t5/security-documents/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

richard.priest
Level 1
Level 1
In response to balaji.bandi

‎01-30-2020 11:29 PM

Ahh bugger, I guess for this sort of thing - specific subdomain blocking I'd need to utilise FirePower services.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to richard.priest

‎02-01-2020 02:38 AM

sure, maybe good to have some regex-based access list

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Karsten Iwen
VIP
VIP

‎01-31-2020 12:41 AM

Just imagine that this feature does nothing more than translating a name to an IP and using this IP in the L3/L4 ACL. If you need more control you have to use a system that can look at the upper layers. Firepower is one option, using a proxy server is another.

0 Helpful
Top