Access-list on using DNS domain name instead of IP?

Unanswered Question
Apr 20th, 2007

Hi, can you help me with this one?

Imagine I need to let a couple of Symantec security appliances (internal network) communicate on port 443 TCP to domains listed below. In my experience, I should do this based on the respective domain names (as shown below, since IP addresses change without warning).

Can someone tell me what should I consider in order to do access-lists based on domain name? Is the below correct:

.#access-list 101 permit tcp <ip_address_appliance> eq 443

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Fri, 04/20/2007 - 08:40

You can create ACL's with DNS names. You can do it with static names. For example-


Then the following would work until brightmail changed the IP.

access-list 101 permit tcp eq 443

HTH and please rate.

news2010a Fri, 04/20/2007 - 08:59

Hmmm... is this considered a limitation on the Cisco IOS? I mean, isn't that bad that there is no way for the router to resolve on its own?

Just curious. I configured this before on other firewall appliances if I recall correctly I was able to input the DNS domain names without need to hardcode the IP address.

Also, what happens if I have 2 or more IP addresses associated with '' ? For example, should I just do?



Thanks a lot for your help!

Collin Clark Fri, 04/20/2007 - 09:17

First off I assumed you had a PIX, so the name command is incorrect! In IOS you can create an IP Host, but I don't think you can use that name in an ACL. I agree that it should be able to do it, but for some reason Cisco doesn't think its important. In a PIX if you tray and use the same twice it kicks back an error saying the name is laready in use. On IOS, it replaces the first one with the second one (no error).


This Discussion