cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2498
Views
0
Helpful
4
Replies

Access-list on using DNS domain name instead of IP?

news2010a
Level 3
Level 3

Hi, can you help me with this one?

Imagine I need to let a couple of Symantec security appliances (internal network) communicate on port 443 TCP to domains listed below. In my experience, I should do this based on the respective domain names (as shown below, since IP addresses change without warning).

Can someone tell me what should I consider in order to do access-lists based on domain name? Is the below correct:

.#access-list 101 permit tcp <ip_address_appliance> 0.0.0.0 swupdate.brightmail.com eq 443

swupdate.brightmail.com

register.brightmail.com

aztec.brightmail.com

4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

You can create ACL's with DNS names. You can do it with static names. For example-

name swupdate.brightmail.com 216.250.16.26

Then the following would work until brightmail changed the IP.

access-list 101 permit tcp 0.0.0.0 swupdate.brightmail.com eq 443

HTH and please rate.

Hmmm... is this considered a limitation on the Cisco IOS? I mean, isn't that bad that there is no way for the router to resolve swupdate.brightmail.com on its own?

Just curious. I configured this before on other firewall appliances if I recall correctly I was able to input the DNS domain names without need to hardcode the IP address.

Also, what happens if I have 2 or more IP addresses associated with 'swupdate.brightmail.com' ? For example, should I just do?

#name swupdate.brightmail.com 216.250.16.26

#name swupdate.brightmail.com 216.250.16.27

Thanks a lot for your help!

First off I assumed you had a PIX, so the name command is incorrect! In IOS you can create an IP Host, but I don't think you can use that name in an ACL. I agree that it should be able to do it, but for some reason Cisco doesn't think its important. In a PIX if you tray and use the same twice it kicks back an error saying the name is laready in use. On IOS, it replaces the first one with the second one (no error).

You guys are ruling. Thanks Much !!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: