access list using names instead of IPs

Unanswered Question
Dec 9th, 2009
User Badges:

Is there a way to create acl using domain names instead of IPs/networks?  For example,


can I do something like

access-list 111 permit icmp host www.mycompany.org any echo

access-list 100 permit tcp any host www.1234.com

instead of

access-list 111 permit icmp host 4.3.2.1 any echo

access-list 100 permit tcp any 1.2.3.4 0.0.0.31


the main reason i would like to do this is so when company/site/server change their IP addresses, there would be no need to change the ACL.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Mon, 12/14/2009 - 08:25
User Badges:
  • Red, 2250 points or more

Hi tachy


you have the "ip host" command on IOS devices which can statically map your hostname to an ip address. but the acl statements might not accept hostnames as the source or destination entries.


You can think implementing object-groups on routers and firewalls to achieve this (depends on the ios code you are running). With object groups, you can bundle IP addresses with a object-name and reference that on the access-list.. doing this, you dont need to change the acl entries everytime you change IP addresses, and you can just modify the object-group entries defined on the device.


Router# configure terminal

Router(config)# object-group network abc

Router(config-network-group)# host 1.1.1.1

Router(config-network-group)# host 2.2.2.2


Refer to CCO on the object-groups and you will find the exact configuration details. Hope this helps.. All the best...


Raj

Mike Bailey Mon, 12/14/2009 - 14:03
User Badges:

The access-list host functionality permits the use of a hostname as per:


     Router(config)#access-list 111 permit ip host ?
       Hostname or A.B.C.D  Source address


So assuming the router can resolve DNS then it should be possible to use a DNS host name in an ACL.


I've just tried the following and it seems to work:


     ip domain-lookup
     ip name-server 10.0.0.1

     !

     access-list 111 deny ip host 10.1.1.1 host www.bbc.co.uk

     !


     interface FastEthernet0/0

     ip access-group 111 out

     !


This blocked me connecting to www.bbc.co.uk from the client in question where I could before.

sachinraja Mon, 12/14/2009 - 14:33
User Badges:
  • Red, 2250 points or more

Mike is right. My bad. I missed the hostname parameter on the command line.. You can hence use the "ip host" command locally, or use DNS as Mike suggested. Object groups can be used, if the IOS supports it.


Thanks for the configs Mike.


Raj

In my version of IOS 12.2(33)SXH4, one can input hostnames during the ACL configuration, but it immediately resolves those hostnames to IPs and inserts those into the output of "show run".  In other words, the hostnames are not preserved, which if I interpret the original post correctly, was the goal (IPs can dynamically change but are tied to permanent DNS records and thus ACLs not be changed).


Pertaining to this behavior, does IOS behave differently on different versions?  Am wondering if T-train would preserve the hostnames in ACL lines?


Thanks!

Actions

This Discussion