We have a requirement for a WSUS server to receive updates which sits behind a ASA5505/ and in some cases ASA5510. I understand to enable this to happen the WSUS server needs to communicate with many DNS names and therefore there are many potential IP addresses/ranges that the ASA needs to apply the appropriate security policy too. An example of just a few of the DNS names we need to apply a security policy to are http://windowsupdate.microsoft.com, http://*.windowsupdate.microsoft.com, https://*.windowsupdate.microsoft.com etc etc...
Is it possible to apply a security policy based on domain names as apposed to IP address/ranges on an ASA5505/ASA5510. I have been told this is impossible, but just incase anyone has found anything new.
The reason why I " don't you just exclude the WSUS server from the policy?", is because the question is not just about WSUS the reason i ask Is it possible to apply a security policy based on domain names as apposed to IP address/ranges on an ASA5505/ASA5510, is so that i can close every thing off on my network, and still have access to WSUS, NIST Time Service, Google Earth, & Symantec Live Update, and a few other sites, services with out opening up my network and machiens to everyone, and every thing. I would like to shut down all internet access, in and out, but to these services, sites, etc. While at the same time keeping up all of my site to site ipsec vpn tunnels I have to my remote offices.
BTW: Anyone interested in Starting up / Co Founding a Los Banos, CA Cisco FAN Club?