FWSM and ASA use of FQDN in ACL cached/real time lookup?

Unanswered Question
Jul 23rd, 2010
User Badges:

I just learned that I can use a Fully Qualified Domain Name instead of just a IP address or address/netmask in a ACL in the FWSM and ASA product, but I would like to know how the details of this feature.


Does the lookup happen once and then all the IP addresses inserted into the ACL at compile time, so that would mean the dns list of name to IP address could get old.  Or does the firewall cache the answer and use for a time period and then refresh so the ACL has a more up to date list of name to IP addresses?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
August Ritchie Fri, 07/23/2010 - 11:54
User Badges:
  • Bronze, 100 points or more

As far as I know the only way for the ASA to block domain names is to use regular expressions. It looks in the http header for the domain name and depending on the parameters will block or deny the traffic. This is done via adjusting the http inspect. The regular expression is checked everytime a new flow is created, so no ACLs are updated. Here is an example.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml


Perhaps the FWSM acts differently though.

August Ritchie Fri, 07/23/2010 - 12:03
User Badges:
  • Bronze, 100 points or more

As far as the ASA is concerned, this configuration is not possible.

Panos Kampanakis Fri, 07/23/2010 - 18:02
User Badges:
  • Cisco Employee,

Unfortunately, neither the ASA nor the FWSM can use domains in an ACL.


You can block HTTP to certain pages with http inspection as August said, but not using an ACL with domain name.


I hope it is clear now.


PK

Magnus Mortensen Fri, 07/23/2010 - 18:08
User Badges:
  • Cisco Employee,

Greg,

     Any hostnames in the ACLs are only referred when the configuration line is created. As pkampana noted, we can do a lot of things with the HTTP inspection engine on the ASA platform. Using some advanced regex expression you can create a rudementry URL filtering solution, but at a slight cost to HTTP performance (regex processing takes a lot of processing power ya know). If you would like to know more about the different functions you can do with HTTP on the ASA platform, I encourage you to check out the Tac Security Podcast at http://www.cisco.com/go/tacsecuritypodcast. In Episode 13, which should be up in the very near future, we discuss different advanced HTTP traffic filtering and inspection options that you can use on the ASA platform.


- Magnus

Actions

This Discussion

Related Content