Creating Access list rule on ASA5510 using a domain name

Posted on 2009-03-30
Last Modified: 2012-05-06
I am needing to allow our Symantec AV Server through our ASA 5510 to download updates.  I am only wanting to allow the server out to the symantec site(s).  I contacted Symantec to get a list of IP Addresses they use for their definition downloads.  Symantec indicated they reference a domainname/url and they don't have a list of IP's to give out.  They indicated I only need to reference in our firewall and it will work.  How do I create an access-list rule in the ASA to reference
Question by:angie_lynn

Assisted Solution

egyptco earned 100 total points
ID: 24024124

such feature would have been great but i'm afraid I've never heard about it. on the asa you should allow ports 80, 21 and 443 ( from your AV Server to any destination in outside and you shouldn't have any problems with the update.
or try this solution with LUAU 

Accepted Solution

FWeston earned 400 total points
ID: 24029288
Unfortunately, I don't think PIX/ASA support what you're trying to do.  The liveupdate site looks like it's set up in a round-robin DNS configuration, so I'll list the following options in the order of most secure to least secure:

1) add access-lists permitting your internal AV server to access tcp ports 80/21/443 on the six IPs below
2) add a single access-list permitting your internal AV server to access tcp ports 80/21/443 on the network
3) add a single access-list permitting your internal AV server to access tcp ports 80/21/443 on any host

Option 2 is probably a pretty safe option that won't require you to update ACLs every month.

FYI - the IP addresses I currently see for are:,,,,, and

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is this QoS Correct on this  CISCO 3825 Router 1 33
Cisco NBAR 6 31
Issue with seeing default gateway on ASA 5506 firewall 4 33
Using VLAN Interface in ASA 5 21
How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now