Following on a request from one of our clients I was looking into configuring ACL filtering, on ASA 9.2(3).  There are quite a lot of the guides out there, but they are missing a few important bits to make it work correctly, through trial and error with a friend of mine we found the following the correct way to configure it.

In this example I wanted to allow all connectivity from the inside LAN to connect to all websites with the exception of

A word of caution obviously you need to think about the order in which your ACL’s are being applied in order to make the ACL work.

The above commands setup DNS running locally on the ASA to query google’s dns servers. We now need to create our ACL on the ASA to match the traffic we are interested in blocking

To ensure that the ACL is actually resolving the correct IP’s for the hosts, you can check it with;

I saw a variety of other posts around the web talking about issues with low TTL on some sites, if you have issues with your ACL, I suggest you take a look at this article;

Cisco Support Forums – Hostname DNS access-lists

Leave a comment

Your email address will not be published. Required fields are marked *

Are you human? * Time limit is exhausted. Please reload the CAPTCHA.