Cisco ASA - Allow Subdomain by FQDN

Hello PO

A Cisco ASA does support the use of an FQDN as part of an access list, however, it does not support such an arrangement for access lists used for VPN split tunneling.

This is due to the way the ASA handles DNS. The ASA is not capable of doing DNS lookups in real-time for each packet that traverses the firewall. Therefore, it can’t resolve FQDNs in access-lists that are applied to VPN tunnels, because the ASA would need to resolve the FQDN to an IP address each time a packet that matches the access-list is processed.

Instead, you should use IP addresses or IP ranges in your access-lists for VPN split tunneling. If the IP addresses for the resources you’re trying to access via the VPN are subject to change, you might want to consider using a dynamic DNS service to keep track of the current IP addresses.

I hope this has been helpful!