ASA FQDN ACL – Networking Lab

Quick how to for FQDN ACL on ASA.
These are not recommended, but still possible.

Create Objects


object-group network MY_OBJ
 network-object host 172.22.32.25
 network-object host 172.22.32.26

object network OBJ-outlook.office365.com
 fqdn outlook.office365.com

object-group network MY_OBJ

network-object host 172.22.32.25

network-object host 172.22.32.26

object network OBJ-outlook.office365.com

fqdn outlook.office365.com

Create ACL


access-list FW-LB extended permit tcp object-group MY_OBJ object OBJ-outlook.office365.com eq smtp

access-list FW-LB extended permit tcp object-group MY_OBJ object OBJ-outlook.office365.com eq smtp

Need DNS servers


conf t
dns domain-lookup outside
DNS server-group DefaultDNS
  name-server 8.8.8.8
  name-server 1.1.1.1
end
wr

conf t

dns domain-lookup outside

DNS server-group DefaultDNS

name-server 8.8.8.8

name-server 1.1.1.1

end

Test


ping outlook.office365.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.97.113.34, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/30/30 ms

ping outlook.office365.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.97.113.34, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 30/30/30 ms

Create Objects

Create ACL

Need DNS servers

Test

Leave a Comment Cancel Reply