Solved: Ip access-list

berb · ‎06-11-2003

Is it possible to add a hostname(text) to ip access list. The host name is defined in a Mircosoft DNS server. I would like to add a dns host name to an access list so if the ip address changes I won't have to go to router configs and make Ip address change to a complicated access-list.

thisisshanky · ‎06-11-2003

Yes its possible. For this to work you need to do two things.

1. Configure (let the router know where to send DNS requests).

Configuring this is as follows :

Router (config)#ip name-server

2. Configure access-list as follows.

for example i m creating a std. acl.

Router(config)#access-list 1 permit host test.you.com

test.you.com should be defined in your DNS as an A record.

As soon as you enter the access-list command, router will try to resolve the FQDN - test.you.com into the corresponding ip address. So make sure the DNS server IP is configured on the router using Step 1.

Once this is done, You can verify the translated access-list (FQDN to IP) using "show access-list" command

--------------------------------------------------------------------------------------------------

Just tested this on a router here, it really works cool.

Router(config)#ip name-server 10.1.1.1

Router#show host

Default domain is cisco.com

Name/address lookup uses domain service

Name servers are 10.1.1.1

Router(config)#access-list 1 permit host test.cisco.com log

Translating "test.cisco.com"...domain server (10.1.1.1) [OK]

Router#show access-list

Standard IP access list 1

permit 10.1.1.7 log

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

View solution in original post

thisisshanky · ‎06-11-2003

Yes its possible. For this to work you need to do two things.

1. Configure (let the router know where to send DNS requests).

Configuring this is as follows :

Router (config)#ip name-server

2. Configure access-list as follows.

for example i m creating a std. acl.

Router(config)#access-list 1 permit host test.you.com

test.you.com should be defined in your DNS as an A record.

As soon as you enter the access-list command, router will try to resolve the FQDN - test.you.com into the corresponding ip address. So make sure the DNS server IP is configured on the router using Step 1.

Once this is done, You can verify the translated access-list (FQDN to IP) using "show access-list" command

--------------------------------------------------------------------------------------------------

Just tested this on a router here, it really works cool.

Router(config)#ip name-server 10.1.1.1

Router#show host

Default domain is cisco.com

Name/address lookup uses domain service

Name servers are 10.1.1.1

Router(config)#access-list 1 permit host test.cisco.com log

Translating "test.cisco.com"...domain server (10.1.1.1) [OK]

Router#show access-list

Standard IP access list 1

permit 10.1.1.7 log

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

mark-obrien · ‎06-11-2003

Shanky-

That's good to know, but Berb was concerned about the IP address of the host changing in the future. Your example shows the DNS translation occurring as the access list is being constructed. I wonder if your running config shows the DNS host name or the IP address after this tranlation is made, and if it shows the host name, how often will the router look up the host name and re-translate? If it never translates the name again, Berb's requirement that the access list keep up with address changes will not be met.

Mark

thisisshanky · ‎06-11-2003

Hi Mark,

I was wondering about that, when I was testing these configs, but didnt get time to follow up on that. Now I checked and the running config does show only the ip address and not the FQDN.

Thats one good observation Mark!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

berb · ‎06-11-2003

Thank you kindly . Works just fine.