I need help configuring Cisco ASA to allow any subdomain like the example below via FQDN or another available method.
Basically what I want is for this server to only be allowed to do Microsoft security updates.
My question is whether the ASA is capable of allowing you to reach a subdomain or if there is any way to put a regular expression using the * character.
It is possible to use the FQDN as part of an access list to filter traffic based on the IP address that that particular FQDN resolves to. However, it is not possible to use wildcard masks within the FQDN statement in the network object. This is stated in the ASA command reference here:
Specifically, it states:
The FQDN must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters. Labels are separated by a dot (for example, www.cisco.com).
So no wildcards of any type are accepted as FQDN network objects. I tried this on my ASA 5506 version 9.8 and I have confirmed it.
The use of an FQDN network object with an access list is a solution that has limitations and some difficulties in implementation. There are certain best practices that should be adhered to to ensure proper operation. Having said that, there are more appropriate (and reliable) solutions that you can use such as using an external URL filtering server, or the application inspection feature on the ASA. Take a look at this Cisco community post for more info.
This is due to the way the ASA handles DNS. The ASA is not capable of doing DNS lookups in real-time for each packet that traverses the firewall. Therefore, it can’t resolve FQDNs in access-lists that are applied to VPN tunnels, because the ASA would need to resolve the FQDN to an IP address each time a packet that matches the access-list is processed.
Instead, you should use IP addresses or IP ranges in your access-lists for VPN split tunneling. If the IP addresses for the resources you’re trying to access via the VPN are subject to change, you might want to consider using a dynamic DNS service to keep track of the current IP addresses.
Thank you very much for your explanation.
Since this is the restriction for ASA, does that mean other devices like Cisco Firepower may support FQDN in ACL to VPN tunnels?
I am under the impression that other devices such as Cisco Firepower may support the use of FQDN in ACLs for VPN split tunneling. I don’t have a Firepower device on hand to try it out, nor have I been able to find any definitive documentation that states this. Ultimately the best thing to do is try it out practically and see what kind of results you get. If you or anyone else reading this thread does try it out, please let us know your results!