Solved: ACLs with FQDN

elias.manchon · ‎10-08-2008

Hello folks!!

Is there some way to permit or deny the traffic using ACLs with FQDN names instead of IP address?.

Thanks in advance!!

ozzyosbu1 · ‎10-08-2008

hello if i have understood your question correctly

access-list 101 permit ip any host host.domain.com

this is allowed in ACLs

you need to have ip domain-lookup enabled and should have ip name-server configured in the router

View solution in original post

ozzyosbu1 · ‎10-08-2008

hello if i have understood your question correctly

access-list 101 permit ip any host host.domain.com

this is allowed in ACLs

you need to have ip domain-lookup enabled and should have ip name-server configured in the router

elias.manchon · ‎10-09-2008

Ok, thanks.

elias.manchon · ‎10-13-2008

Hello Again!!

I have tried the next on my cisco router:

ip domain-lookup

...

ip name-server xxx.xxx.xxx.xxx

ip name-server yyy.yyy.yyy.yyy

If I send a ping like FQDN (example: www.cisco.com), there is not domain resolution. Appear the next:

Translating "www.cisco.com"... domain server (xxx.xxx.xxx.xxx) (yyy.yyy.yyy.yyy)

% Unrecognized host or address, or protocol not running.

Where the X address and Y address are the DNS of my ISP.

Could somebody help me please?.

Thanks in advance!!

ozzyosbu1 · ‎10-13-2008

Make sure u are able to reach the DNS server from the router(using ping); also recheck if any access-lists are blocking the DNS requests from being forwarded to your ISP DNS Server.

Phillip.Cusack · ‎10-22-2018

I put a little EEM together to achieve this. It's pretty easy.

conf t

!You should use an internal DNS server (safer)
ip name-server 8.8.8.8
object-group network DDNS-ALLOW



event manager applet DDNS-UPDATE
!300 seconds is 5 minutes
event timer watchdog time 300

action 0.1 cli command "enable"
action 0.2 cli command "conf t"

action 1.1 cli command "object-group network DDNS-ALLOW"
action 1.2 cli command "no group-object DDNS-HOSTS"
action 1.3 cli command "no object-group network DDNS-HOSTS"



action 2.1 cli command "object-group network DDNS-HOSTS"
!Add your FQDN - This must resolve or won't be added, test with ping

action 2.2 cli command "host google.com"
!action 2.3 cli command "host example.duckdns.org"
!action 2.4 cli command "host some.fqdn.org.com.net"



action 4.1 cli command "object-group network DDNS-ALLOW"
action 4.2 cli command "group-object DDNS-HOSTS"

action 5.0 syslog priority informational msg "DDNS object-group has been updated via EEM"

!ACL name
ip access-list extended OUTSIDE_NBN_IN
!Position the rule within your ACL - with the least amount of access requried (not my example)
141 permit tcp object-group DDNS-ALLOW any

!View information (level 6) logs to make sure the event is running
logging buffered 6

Alex Pfeil · ‎10-22-2018

What was the purpose of the EEM? As in, why did you make an EEM to do the task when it seems like you could just run the commands?

Phillip.Cusack · ‎10-22-2018

2 reasons

1# if you add hostname to the ACL - it immediately resolves and adds the IP to the ACL, not the hostname. (same for object groups)

2# If it were to keep hostname in the ACL - every single packet that reaches that ACE within the ACL will cause a DNS lookup which would be slow as hell.

david.dutt · ‎05-30-2019

I know this post is a little old, but this solution is a very good workaround. Nice work Phillip.

RS19 · ‎09-30-2020

Thanks. I am looking at similar use case for my requirement.

But I am not able to understand what the below does in your configuration sample. Can you please help in explaining it ?

action 1.2 cli command "no group-object DDNS-HOSTS"
action 1.3 cli command "no object-group network DDNS-HOSTS"

RS19 · ‎09-30-2020

Also I am not able to understand the purpose of the below.

action 4.2 cli command "group-object DDNS-HOSTS"

What is defined under group-object DDNS-HOSTS ?

RS19 · ‎10-01-2020

Any help or inputs

Phillip.Cusack · ‎10-01-2020

!This portion cleans up/removes the existing IP's that may be stale - be removing the object group. We store one object group in another, as then we can just keep the parent object group in the ACL and modify it's sub-items.

action 1.1 cli command "object-group network DDNS-ALLOW" ! Enters the item level config of object network 'DDNS-ALLOW' for config changes within
action 1.2 cli command "no group-object DDNS-HOSTS" ! removes the object group 'DDNS-HOSTS' from object group 'DDNS-ALLOW'
action 1.3 cli command "no object-group network DDNS-HOSTS" ! Removes the object group 'DDNS-HOSTS' from the router

! This portion re-creates the object group 'DDNS-HOSTS' adding the host entries - then adding 'DDNS-HOSTS' to the parent object group ' DDNS-ALLOW'.

action 2.1 cli command "object-group network DDNS-HOSTS" ! creates and enters item level config for object-group 'DDNS-HOSTS'
!Add your FQDN - This must resolve or won't be added, test with ping.
action 2.2 cli command "host google.com"
!action 2.3 cli command "host example.duckdns.org"
!action 2.4 cli command "host some.fqdn.org.com.net"

action 4.1 cli command "object-group network DDNS-ALLOW"
action 4.2 cli command "group-object DDNS-HOSTS"

RS19 · ‎10-05-2020

Thanks

I did test with the below commands in my environment.

What I observed is that under "object-group network URL_DNS_HOSTS"

the google IP address are dynamically getting added once the EEM is executed after every 5 mins.

But 1 think I observed is that, only 2 IP address is getting dynamically added. But as you know Google IP gets resolved dynamically to many. But with the below at any time only 2 IP address is getting added.

is my below configuration wrong or am I missing anything.

------------------------------------------------------------------------

object-group network URL_Block

event manager applet URL_DNS_UPDATE
event timer watchdog time 300
action 0.1 cli command "enable"
action 0.2 cli command "conf t"

action 1.1 cli command "object-group network URL_Block "
action 1.2 cli command "no group-object URL_DNS_HOSTS"
action 1.3 cli command "no object-group network URL_DNS_HOSTS"

action 2.1 cli command "object-group network URL_DNS_HOSTS"
action 2.2 cli command "host www.google.co.jp"
action 2.3 cli command "host google.co.jp"

action 4.1 cli command "object-group network URL_Block"
action 4.2 cli command "group-object URL_DNS_HOSTS"
action 5.0 syslog priority informational msg "DNS object-group has been updated via EEM"

<Added the below ACL into the existing ACL group>
deny ip host <x.x.x.x> object-group URL_Block

RS19 · ‎10-05-2020

I revised my configurations as below. Let me know if it makes sense.

Since google resolves to multiple IP Address, I want to keep on adding the IP Address to the ACL.
My understanding is that if I remove the object group only the latest resolved IP address is getting added in object group. But I want to keep on adding the IP address into the object group without removing the old entry.
Could you please let me know if the below will work. I am yet to test the below ?

##############################################################################################

object-group network URL_Block

event manager applet URL_DNS_UPDATE
event timer watchdog time 300
action 0.1 cli command "enable"
action 0.2 cli command "conf t"

action 2.1 cli command "object-group network URL_DNS_HOSTS"
action 2.2 cli command "host www.google.co.jp"
action 2.3 cli command "host google.co.jp"

action 4.1 cli command "object-group network URL_Block"
action 4.2 cli command "group-object URL_DNS_HOSTS"

action 5.0 syslog priority informational msg "DNS object-group has been updated via EEM"
!

object-group network URL_Block

<ACL>
deny ip host <x.x.x.x> object-group URL_Block