08 January 2016 ~ 0 Comments

Cisco ASA FQDN ACL

Following on a request from one of our clients I was looking into configuring ACL filtering, on ASA 9.2(3).  There are quite a lot of the guides out there, but they are missing a few important bits to make it work correctly, through trial and error with a friend of mine we found the following the correct way to configure it.

In this example I wanted to allow all connectivity from the inside LAN to connect to all websites with the exception of google.com.

A word of caution obviously you need to think about the order in which your ACL’s are being applied in order to make the ACL work.

The above commands setup DNS running locally on the ASA to query google’s dns servers. We now need to create our ACL on the ASA to match the traffic we are interested in blocking

To ensure that the ACL is actually resolving the correct IP’s for the hosts, you can check it with;

I saw a variety of other posts around the web talking about issues with low TTL on some sites, if you have issues with your ACL, I suggest you take a look at this article;

Cisco Support Forums – Hostname DNS access-lists

Leave a Reply

Are you human? *