At the time of this post, I had limited exposure to ASA 9.2 code and particularly using FQDN access-lists.

Essentially what you can do is create an object with the Fully Defined Domain Name (FQDN) of a domain nested within. You can create multiple of these and place them inside a single object-group to keep things tidy (and you should!).

As the hosts hit the ASA, the ASA will do a DNS lookup with the FQDN hosts listed within your object’s and permit traffic from only that A record/CNAME inbound. This can be used to allow access to cloud services which change their A records often.

Below is visual example showing the DNS query performed by the ASA, and the access-list showing hits on the fqdn.

ASA FQDN DNS

ASA# show access-list inside_in
access-list inside_in; 4 elements; name hash: 0xd3a8690b
access-list inside_in line 1 deny ip any object obj-hr88.cisco.com 
 access-list inside_in line 1 deny ip any fqdn hr88.cisco.com (resolved)
 access-list inside_in line 1 deny ip any host 10.32.2.4 (hr88.cisco.com) (hitcnt=10)
 access-list inside_in line 1 deny ip any host 10.32.2.3 (hr88.cisco.com) (hitcnt=35)
access-list inside_in line 2 permit ip any any (hitcnt=12022)

Have a read more in the below article for some further insight; Pretty cool stuff!

Sources: ASA FQDN access-lists Part 1 | Network Inferno – Using Hostnames (dDNS) in Access Lists

About The Author

Timothy

Timothy started his networking career in 2014, working for one of the largest telecommunication operators in Australia. When he's not working, he's obsessing over German Shepherd Dogs.

Close