Solved

Cisco ACL DNS lookup problem

Posted on 2011-02-22
12
1,126 Views
Last Modified: 2012-05-11
I'm trying to use hostnames in my ACL's.  I have domain lookups enabled, ip name-servers defined and DNS permitted in my ACL.  The problem is that even though I can resolve a hostname from the CLI, it does not seem to resolve when I use it in an ACL.  I'm stumped.

Example:
permit tcp host computername.dyndns.org host data.domainname.com eq 1433

If I ping computername.dyndns.org from any of the routers interfaces, it resolves and pings.  

Any thoughts?
0
Comment
Question by:Frank McCourry
  • 7
  • 3
  • 2
12 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 250 total points
ID: 34956035
Hello

That cannot be done. The host names you use in acl:s cannot be resolved by dns, only with locally defined hostnames.

Best regards
Kvistofta
0
 
LVL 8

Author Comment

by:Frank McCourry
ID: 34956116
I have to argue that when I enter the ACL, the router will stop and try to resolve the names using the ip name-servers I defined.  If it were not possible, why would the router attempt to process in this manner?
0
 
LVL 2

Assisted Solution

by:dslam24
dslam24 earned 250 total points
ID: 34956507
I have never seen an ACL setup like that.  The only way that I've seen ACL showing a 'hostname' or name is when they are defined in the config by enabling.
names
name <ip address> <description>


If anything I'd be curious to know if you get it to work.  Check you syslogs to see whether it is actually trying to resolve the name in the ACL.
0
 
LVL 8

Author Comment

by:Frank McCourry
ID: 34961737
@dslam24 -

After doing some more reading, I have found that it is possible, however if the IP address of the hostname changes after the ACL is read into the config, the entry will not be changed.  So it appears that this is an exercise in futility.  

I do wonder if I keep a list of names, as you suggest, if updating those names would make it work.  I would think those entries would be easier to manage than having to edit multiple lines in my ACL.  

I'll give it a try and post back my results.
0
 
LVL 8

Author Comment

by:Frank McCourry
ID: 34961854
Hmmm... Names command is not available.  Looking back, I forgot to specify that I am working on a Cisco 2621 Router with IOS 12.2(16a)
0
 
LVL 2

Expert Comment

by:dslam24
ID: 34962534
Oh, sorry about that.  I assumed a PIX/ASA.  I don't think the name/names commands are available on the routers, i checked a few of mine as well as google of course.

Best I can think of at this point is to use the "remark" command in your ACL's that way you can still keep a description of each line if you wanted to.

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/comment.html
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 8

Author Comment

by:Frank McCourry
ID: 35007152
That is how I currently keep track of what entries are in my ACL.  It appears that there is no good solution for this problem.  I wonder if Cisco will release an IOS in the near future that will address this problem.  It is getting more and more prominent that remote workers will use dynamic DNS, which will make this more of a concern for admins.  for now...bummer.  It looks like my users will have to pay for static IP's.
0
 
LVL 8

Author Comment

by:Frank McCourry
ID: 35007240
Leaving this question open in hopes that someone else my find a workaround....
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35008327
Hi

With all respect, I would suggest that you instead close the question and award us who gave you an correct answer.

Best regards
Kvistofta
0
 
LVL 8

Author Comment

by:Frank McCourry
ID: 35008484
With the same respect, I am looking for a solution to my problem.  If I close this question just to award points, (which you deserve) I would not be doing justice to my question or others in my situation.  Be assured that If I receive no more responses on this question within the next week, I will close it and award points.  For now I would like to see if there is anymore input available.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 35008676
ok. :-)

/Kvistofta
0
 
LVL 8

Author Closing Comment

by:Frank McCourry
ID: 35038921
Thanks for your input.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now