At the time of this post, I had limited exposure to ASA 9.2 code and particularly using FQDN access-lists.

Essentially what you can do is create an object with the Fully Defined Domain Name (FQDN) of a domain nested within. You can create multiple of these and place them inside a single object-group to keep things tidy (and you should!).

As the hosts hit the ASA, the ASA will do a DNS lookup with the FQDN hosts listed within your object’s and permit traffic from only that A record/CNAME inbound. This can be used to allow access to cloud services which change their A records often.

Below is visual example showing the DNS query performed by the ASA, and the access-list showing hits on the fqdn.

ASA FQDN DNS

ASA# show access-list inside_in
access-list inside_in; 4 elements; name hash: 0xd3a8690b
access-list inside_in line 1 deny ip any object obj-hr88.cisco.com 
 access-list inside_in line 1 deny ip any fqdn hr88.cisco.com (resolved)
 access-list inside_in line 1 deny ip any host 10.32.2.4 (hr88.cisco.com) (hitcnt=10)
 access-list inside_in line 1 deny ip any host 10.32.2.3 (hr88.cisco.com) (hitcnt=35)
access-list inside_in line 2 permit ip any any (hitcnt=12022)

Have a read more in the below article for some further insight; Pretty cool stuff!

Sources: ASA FQDN access-lists Part 1 | Network Inferno – Using Hostnames (dDNS) in Access Lists

About The Author

Timothy started his networking career in 2014, working for one of the largest telecommunication operators in Australia. He has a passion for networking and cyber security. When he's not working, he's obsessing over German Shepherd Dogs.

Close