Opening access via DNS name

Unanswered Question
Apr 16th, 2009


If one of the webserver farms wants to access an internet entity via DNS name resolution, how can it be opened up on the ASA since the actual IPs should be specified in the access-list. And it is possible that the IP returned by DNS may be different in future.

How can this be covered on the firewall.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Thu, 04/16/2009 - 08:01

Unfortunately the ASA can't do DNS lookups for the client. (I just ran into this issue.) What I did was an nslookup on the domain names that I needed, and then I created an acl giving access to those object-groups that referenced the ip addresses.

You could use regex and apply to a class map, and then you could match on the address of the webserver farm to give them access, but that may not be good for you.

Here's a link:

You should modify to your needs (regex isn't just for blocking)




This Discussion