FQDN unresolved in ASA 5520

hoaithanhdo · ‎09-06-2021

Hello ,

I have asa 5520 with configuration below :

fw-ntr-inside/pri/act# sh running-config dns
DNS server-group DefaultDNS
domain-name alliumfr.corp.priv

object network www.microsoft.com
fqdn www.microsoft.com

and access list for my dmz :

access-list FRNTRINS-VLAN714-Geode-Test_access_in line 2 extended permit tcp object FRNTRINS-VLAN714-Geode-Test object www.microsoft.com eq 443

when i leave command show access-list FRNTRINS-VLAN714-Geode-Test_access_in . This's result :

access-list FRNTRINS-VLAN714-Geode-Test_access_in line 2 extended permit tcp 10.192.6.32 255.255.255.240 fqdn www.microsoft.com (unresolved) eq https (inactive) .

Could you guide me how to fix it ?

Thanks so much .

Regards !

Amine ZAKARIA · ‎09-07-2021

@hoaithanhdo ,

Did you apply the ACL on the interface ? Do you have access-group FRNTRINS-VLAN714-Geode-Test_access_in in interface dmz, if you did not apply the ACL on the interface it will be unresolved/inactive.

Make sure your ASA DNS configured properly and can resolve www.microsoft.com

Hope that helps!

Milos_Jovanovic · ‎09-07-2021

Hi @hoaithanhdo,

The way FQDN object works is that ASA needs to resolve this FQDN and it creates dynamic FW opening for resolved IP. It is very tricky to use FQDN object, as there are caveats around it, bu prerequisite is that you need to have working DNS configuration on ASA, and most often, your ASA and your hosts must use same DNS servers (in order to resolve FQDN to same IP). For this, you are missing DNS configuration on ASA, something like:

dns server-group DefaultDNS
name-server 192.168.15.15 --- your DNS servers assigned to DMZ servers also
name-server 172.16.20.20
dns domain-lookup inside --- interface through which you are reaching these DNS servers

BR,

Milos