Cisco ASA - Allow Subdomain by FQDN

Dear,

I need help configuring Cisco ASA to allow any subdomain like the example below via FQDN or another available method.

Basically what I want is for this server to only be allowed to do Microsoft security updates.

My question is whether the ASA is capable of allowing you to reach a subdomain or if there is any way to put a regular expression using the * character.

!
object-group network PC1
  network-object host 192.168.1.50
!
object network MS_Update
  fqdn *.microsoft.com
  fqdn *.update.microsoft.com
!
access-list TEST_IN extended permit tcp object PC1 object MS_Update eq 443
!
access-group TEST_IN int interface SERVER_ZONE
!
!

Hello Leandro

It is possible to use the FQDN as part of an access list to filter traffic based on the IP address that that particular FQDN resolves to. However, it is not possible to use wildcard masks within the FQDN statement in the network object. This is stated in the ASA command reference here:

Specifically, it states:

The FQDN must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters. Labels are separated by a dot (for example, www.cisco.com).

So no wildcards of any type are accepted as FQDN network objects. I tried this on my ASA 5506 version 9.8 and I have confirmed it.

The use of an FQDN network object with an access list is a solution that has limitations and some difficulties in implementation. There are certain best practices that should be adhered to to ensure proper operation. Having said that, there are more appropriate (and reliable) solutions that you can use such as using an external URL filtering server, or the application inspection feature on the ASA. Take a look at this Cisco community post for more info.

I hope this has been helpful!

Laz

I tried to add the following line but received the error log.
access-list SPLIT-TUNNEL line 16 extended permit ip object FQDN object-group VPN

Received:
ERROR: Access-list contains user, user-group, security-group or FQDN objects. These are not supported in group policies.

ASA does not allow me to use FQDN. Why?

Hello PO

A Cisco ASA does support the use of an FQDN as part of an access list, however, it does not support such an arrangement for access lists used for VPN split tunneling.

This is due to the way the ASA handles DNS. The ASA is not capable of doing DNS lookups in real-time for each packet that traverses the firewall. Therefore, it can’t resolve FQDNs in access-lists that are applied to VPN tunnels, because the ASA would need to resolve the FQDN to an IP address each time a packet that matches the access-list is processed.

Instead, you should use IP addresses or IP ranges in your access-lists for VPN split tunneling. If the IP addresses for the resources you’re trying to access via the VPN are subject to change, you might want to consider using a dynamic DNS service to keep track of the current IP addresses.

I hope this has been helpful!

Laz

Thank you very much for your explanation.
Since this is the restriction for ASA, does that mean other devices like Cisco Firepower may support FQDN in ACL to VPN tunnels?

Hello PO

I am under the impression that other devices such as Cisco Firepower may support the use of FQDN in ACLs for VPN split tunneling. I don’t have a Firepower device on hand to try it out, nor have I been able to find any definitive documentation that states this. Ultimately the best thing to do is try it out practically and see what kind of results you get. If you or anyone else reading this thread does try it out, please let us know your results!

I hope this has been helpful!

Laz