ACL question

Answered Question
Jun 19th, 2008

How do I create an ACL that would only allow specific sites to go through if I didn't know the IP and only know the DNS name. Say I want to allow only these two sites * and * then block all others. Can I do that?

This is on an ASA 5510.

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 7 months ago

AFAIK this is not supported on the ASA/PIX.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Farrukh Haroon Thu, 06/19/2008 - 08:42

amadoutoure, how does MPF achive that? Can you expand upon your comment.

How will MPF keep track of the DNS entry of (which say changes frequently).

Ever did a nslookup on (you get multiple IPs)?

We do this on one of our Customer's Netscreen ISG tough, it supports this.



Amadou TOURE Thu, 06/19/2008 - 09:04


I'm out of office for now and I'll send a sample config as soon as I go back to office.

It will be done using regex syntax.


Farrukh Haroon Thu, 06/19/2008 - 09:19

Oh I get your point now. Thanks for waking me up now. Even tough its not as flexible as a proper filtering solution (because since we are denying based on hostname, the user can simply open the URL by IP, open google's cache etc.):

policy-map type inspect http TEST_HTTP


match request uri regex


Something like this:




This Discussion