I need help configuring Cisco ASA to allow any subdomain like the example below via FQDN or another available method.
Basically what I want is for this server to only be allowed to do Microsoft security updates.
My question is whether the ASA is capable of allowing you to reach a subdomain or if there is any way to put a regular expression using the * character.
object-group network PC1
network-object host 192.168.1.50
object network MS_Update
access-list TEST_IN extended permit tcp object PC1 object MS_Update eq 443
access-group TEST_IN int interface SERVER_ZONE
It is possible to use the FQDN as part of an access list to filter traffic based on the IP address that that particular FQDN resolves to. However, it is not possible to use wildcard masks within the FQDN statement in the network object. This is stated in the ASA command reference here:
Specifically, it states:
The FQDN must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters. Labels are separated by a dot (for example, www.cisco.com).
So no wildcards of any type are accepted as FQDN network objects. I tried this on my ASA 5506 version 9.8 and I have confirmed it.
The use of an FQDN network object with an access list is a solution that has limitations and some difficulties in implementation. There are certain best practices that should be adhered to to ensure proper operation. Having said that, there are more appropriate (and reliable) solutions that you can use such as using an external URL filtering server, or the application inspection feature on the ASA. Take a look at this Cisco community post for more info.
I hope this has been helpful!