Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Silly question: DNS name instead of IP address in ASA ACL

Hello,

one silly question - is it possible to specify DNS name in ACL on ASA? e.g.

access-list ACL-TEST extended permit tcp any host www.example.com eq ssh

If it is not possible - any plans to add that feature? Can be really useful for outbound restrictions.

2 REPLIES
Silver

Re: Silly question: DNS name instead of IP address in ASA ACL

No it is not possible with Pix or ASA.

if you want that feature, go with Checkpoint

or Juniper.

Silver

Re: Silly question: DNS name instead of IP address in ASA ACL

You can match and drop traffic using application inspection. Setup a HTTP inpsection policy and use regex to match the URL and set it to drop. See Link.

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/configuration/guide/inspect.html#wp1514315

Easier way would be to setup websense or N2H proxies that the ASA could check against.

Hope this helps.

Chad

272
Views
0
Helpful
2
Replies
CreatePlease to create content