Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list on using DNS domain name instead of IP?

Hi, can you help me with this one?

Imagine I need to let a couple of Symantec security appliances (internal network) communicate on port 443 TCP to domains listed below. In my experience, I should do this based on the respective domain names (as shown below, since IP addresses change without warning).

Can someone tell me what should I consider in order to do access-lists based on domain name? Is the below correct:

.#access-list 101 permit tcp <ip_address_appliance> 0.0.0.0 swupdate.brightmail.com eq 443

swupdate.brightmail.com

register.brightmail.com

aztec.brightmail.com

4 REPLIES

Re: Access-list on using DNS domain name instead of IP?

You can create ACL's with DNS names. You can do it with static names. For example-

name swupdate.brightmail.com 216.250.16.26

Then the following would work until brightmail changed the IP.

access-list 101 permit tcp 0.0.0.0 swupdate.brightmail.com eq 443

HTH and please rate.

New Member

Re: Access-list on using DNS domain name instead of IP?

Hmmm... is this considered a limitation on the Cisco IOS? I mean, isn't that bad that there is no way for the router to resolve swupdate.brightmail.com on its own?

Just curious. I configured this before on other firewall appliances if I recall correctly I was able to input the DNS domain names without need to hardcode the IP address.

Also, what happens if I have 2 or more IP addresses associated with 'swupdate.brightmail.com' ? For example, should I just do?

#name swupdate.brightmail.com 216.250.16.26

#name swupdate.brightmail.com 216.250.16.27

Thanks a lot for your help!

Re: Access-list on using DNS domain name instead of IP?

First off I assumed you had a PIX, so the name command is incorrect! In IOS you can create an IP Host, but I don't think you can use that name in an ACL. I agree that it should be able to do it, but for some reason Cisco doesn't think its important. In a PIX if you tray and use the same twice it kicks back an error saying the name is laready in use. On IOS, it replaces the first one with the second one (no error).

New Member

Re: Access-list on using DNS domain name instead of IP?

You guys are ruling. Thanks Much !!

454
Views
0
Helpful
4
Replies
CreatePlease to create content