Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
818
Views
0
Helpful
3
Replies

Allowing a dyn dns to my access list

Locayta123
Level 1
Level 1

‎02-11-2014 08:14 AM - edited ‎03-11-2019 08:44 PM

Hi all.

I allow a remote user access to our network based on his static ip which he is about to loose. We have configured a dyn dns address for his changing public IP that i would like to add to our cisco.

Looking at ASDM how is it possible to allow a dyn dns address to the access list and for the ASA to update accordingly?

Thanks.

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎02-11-2014 08:23 AM

Hi,

If you have ASA running 8.4(2) or newer software you can use FQDN in the ACL rules to allow connections based on the DNS name rather than the IP address

In this setup you will have to

  • Configure DNS servers that the ASA can use to make DNS queries
  • Enable DNS lookups on the ASAs interface through which the DNS queries should be sent
  • Configure an "object network " and "fqdn customer.dnsname.com"
  • Use the created "object" in the ACL rule

Example configuration could be for example (unless I remember something wrong)

dns domain-lookup outside

dns server-group DefaultDNS

    name-server 8.8.8.8

object network GOOGLE

fqdn www.google.com

access-list OUTSIDE-IN permit tcp object GOOGLE host eq 80

access-group OUTSIDE-IN in interface outside

So I would imagine that if your software is not the above mentioned or newer you wont be able to allow connections according to FQDN.

Hope this helps

- Jouni

0 Helpful

Locayta123
Level 1
Level 1
In response to Jouni Forss

‎02-11-2014 08:33 AM

Great post, thanks for the detail.

I'm currently running:

Cisco Adaptive Security Appliance Software Version 7.2(5)

Device Manager Version 5.2(5)

WIll i need to upgrade my appliance for this to work?

0 Helpful

jpeterson6
Level 2
Level 2
In response to Locayta123

‎02-12-2014 03:00 PM

Yes, but upgrading to 8.4(2) will, unfortunately, change a lot of your configurations related to NAT in particular.

Reference this document to get a heads-up on what else will be required.

https://supportforums.cisco.com/docs/DOC-12690

An alternative and arguably better solution to your problem is just creating a Remote Access VPN for him on the ASA, then his IP won't matter, unless I am misunderstanding how this person connects.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card