Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1240
  • Last Modified:

Cisco ACL DNS lookup problem

I'm trying to use hostnames in my ACL's.  I have domain lookups enabled, ip name-servers defined and DNS permitted in my ACL.  The problem is that even though I can resolve a hostname from the CLI, it does not seem to resolve when I use it in an ACL.  I'm stumped.

Example:
permit tcp host computername.dyndns.org host data.domainname.com eq 1433

If I ping computername.dyndns.org from any of the routers interfaces, it resolves and pings.  

Any thoughts?
0
Frank McCourry
Asked:
Frank McCourry
  • 7
  • 3
  • 2
2 Solutions
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Hello

That cannot be done. The host names you use in acl:s cannot be resolved by dns, only with locally defined hostnames.

Best regards
Kvistofta
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
I have to argue that when I enter the ACL, the router will stop and try to resolve the names using the ip name-servers I defined.  If it were not possible, why would the router attempt to process in this manner?
0
 
dslam24Commented:
I have never seen an ACL setup like that.  The only way that I've seen ACL showing a 'hostname' or name is when they are defined in the config by enabling.
names
name <ip address> <description>


If anything I'd be curious to know if you get it to work.  Check you syslogs to see whether it is actually trying to resolve the name in the ACL.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
@dslam24 -

After doing some more reading, I have found that it is possible, however if the IP address of the hostname changes after the ACL is read into the config, the entry will not be changed.  So it appears that this is an exercise in futility.  

I do wonder if I keep a list of names, as you suggest, if updating those names would make it work.  I would think those entries would be easier to manage than having to edit multiple lines in my ACL.  

I'll give it a try and post back my results.
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
Hmmm... Names command is not available.  Looking back, I forgot to specify that I am working on a Cisco 2621 Router with IOS 12.2(16a)
0
 
dslam24Commented:
Oh, sorry about that.  I assumed a PIX/ASA.  I don't think the name/names commands are available on the routers, i checked a few of mine as well as google of course.

Best I can think of at this point is to use the "remark" command in your ACL's that way you can still keep a description of each line if you wanted to.

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/comment.html
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
That is how I currently keep track of what entries are in my ACL.  It appears that there is no good solution for this problem.  I wonder if Cisco will release an IOS in the near future that will address this problem.  It is getting more and more prominent that remote workers will use dynamic DNS, which will make this more of a concern for admins.  for now...bummer.  It looks like my users will have to pay for static IP's.
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
Leaving this question open in hopes that someone else my find a workaround....
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Hi

With all respect, I would suggest that you instead close the question and award us who gave you an correct answer.

Best regards
Kvistofta
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
With the same respect, I am looking for a solution to my problem.  If I close this question just to award points, (which you deserve) I would not be doing justice to my question or others in my situation.  Be assured that If I receive no more responses on this question within the next week, I will close it and award points.  For now I would like to see if there is anymore input available.
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
ok. :-)

/Kvistofta
0
 
Frank McCourryV.P. Holland Computers, Inc.Author Commented:
Thanks for your input.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now