Cisco ACL DNS lookup problem
I'm trying to use hostnames in my ACL's. I have domain lookups enabled, ip name-servers defined and DNS permitted in my ACL. The problem is that even though I can resolve a hostname from the CLI, it does not seem to resolve when I use it in an ACL. I'm stumped.
Example:
permit tcp host computername.dyndns.org host data.domainname.com eq 1433
If I ping computername.dyndns.org from any of the routers interfaces, it resolves and pings.
Any thoughts?
Example:
permit tcp host computername.dyndns.org host data.domainname.com eq 1433
If I ping computername.dyndns.org from any of the routers interfaces, it resolves and pings.
Any thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@dslam24 -
After doing some more reading, I have found that it is possible, however if the IP address of the hostname changes after the ACL is read into the config, the entry will not be changed. So it appears that this is an exercise in futility.
I do wonder if I keep a list of names, as you suggest, if updating those names would make it work. I would think those entries would be easier to manage than having to edit multiple lines in my ACL.
I'll give it a try and post back my results.
After doing some more reading, I have found that it is possible, however if the IP address of the hostname changes after the ACL is read into the config, the entry will not be changed. So it appears that this is an exercise in futility.
I do wonder if I keep a list of names, as you suggest, if updating those names would make it work. I would think those entries would be easier to manage than having to edit multiple lines in my ACL.
I'll give it a try and post back my results.
ASKER
Hmmm... Names command is not available. Looking back, I forgot to specify that I am working on a Cisco 2621 Router with IOS 12.2(16a)
Oh, sorry about that. I assumed a PIX/ASA. I don't think the name/names commands are available on the routers, i checked a few of mine as well as google of course.
Best I can think of at this point is to use the "remark" command in your ACL's that way you can still keep a description of each line if you wanted to.
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/comment.html
Best I can think of at this point is to use the "remark" command in your ACL's that way you can still keep a description of each line if you wanted to.
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/comment.html
ASKER
That is how I currently keep track of what entries are in my ACL. It appears that there is no good solution for this problem. I wonder if Cisco will release an IOS in the near future that will address this problem. It is getting more and more prominent that remote workers will use dynamic DNS, which will make this more of a concern for admins. for now...bummer. It looks like my users will have to pay for static IP's.
ASKER
Leaving this question open in hopes that someone else my find a workaround....
Hi
With all respect, I would suggest that you instead close the question and award us who gave you an correct answer.
Best regards
Kvistofta
With all respect, I would suggest that you instead close the question and award us who gave you an correct answer.
Best regards
Kvistofta
ASKER
With the same respect, I am looking for a solution to my problem. If I close this question just to award points, (which you deserve) I would not be doing justice to my question or others in my situation. Be assured that If I receive no more responses on this question within the next week, I will close it and award points. For now I would like to see if there is anymore input available.
ok. :-)
/Kvistofta
/Kvistofta
ASKER
Thanks for your input.
ASKER