Unanswered Question
Mar 24th, 2008

I've been tasked with converting a Netscreeen fw to ASA 5520. All is well except for some of the fw policy where they have used fqdn for a host in the "untrust" portion of the policy. On the netscreen, you can configure a dns server and it will go out and resolve these fqdn's. Does the ASA allow for something like this? I've looked through the cmd reference, etc and haven't found it.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ggriebel Mon, 03/24/2008 - 14:18

sorry doesn't apply.

I'm asking about the ability to use a fqdn either directly in an access-list (aka policy statement) or a network-object that can be used in an access-list.

cisco24x7 Mon, 03/24/2008 - 17:30

Hi ggriebel,

If I am not mistaken, what you're trying to do

here is to use what to refer in checkpoint

or Juniper/Netscreen as "domain" objects. In

other words, you specify the domain object as,

for example, "" and take this object

and apply to either source or the destination.

Furthermore, sometime you want to "negate"

the object as well.

Those features have been widely available

with Checkpoint and Juniper firewalls. Cisco

Pix/ASA does not support that function.

CCIE Security

ggriebel Tue, 03/25/2008 - 06:59

It can also be done on Fortigates. I didn't think it's available on the ASA, that's why I was questioning.


pratheesh.venu@... Wed, 01/23/2013 - 10:09


I want to follow up on this thread to see if Cisco has made any update on this - Access policy using FQDN instead of hard coded IP address?

I have seen couple of options based on my research.

MPF with http class -- > this is not good enough as https or non http traffic will net be qualified.

Identity ware firewall policy using DNS--> Is this applicable to 8.2 release




This Discussion