8

Can I use FQDN's in crypto maps when setting a peer (where I'd normally use an IP), and can I use FQDN's when defining an LDAP Server or any other AAA Server in a server group? In both cases the FQDN's would have to be resolved by calls to an external DNS server (FQDN objects).

If the answer is yes, please provide a quick example of how to do that. I already know how to use FQDN's in ACL's, setup external DNS and validate the ASA is resolving those properly.

A L
  • 3,310
  • 9
  • 33
  • 55
  • AL, are you asking whether it's possible to have the ASA [re-resolve](https://supportforums.cisco.com/document/66011/asa-using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting) the FQDN every so often (like they do for dynamic ACLs)?. It would help if you gave a concrete example of where the FQDN is defined, and the circumstances that you want the ASA to check. – Mike Pennington Mar 17 '14 at 14:09
  • Hey Mike, yes that's exactly what I'm talking about. In these cases - we have a vendor given url, that we must use in a AAA-server config and also for a peer IP in a crypto map for a L2L IPsec tunnel. Not sure how much more to put in the question to get that across. – A L Mar 17 '14 at 14:23
  • Ok, if you can be specific about the TTL on the DNS record, it would help. Check the TTL with `nslookup` (Windows) or `dig` (Linux / Windows) – Mike Pennington Mar 17 '14 at 14:24
  • The particular record I'd need to resolve has a TTL of 58 seconds, so we'd need to resolve the names used in these cases every 58s or less ideally. – A L Mar 17 '14 at 14:41

1 Answers1

4

Yes, according to the Cisco documentation (v8.4), you can use a hostname most places you use an IP address.

Here's an example lifted from the documentation:

ne-asa(config)#aaa-server LDAP_SRV_GRP (inside) host myserver.networkegineering.stackexchage.com
ne-asa(config-aaa-server-host)#ldap-attribute-map ne-MAP
Ryan Foley
  • 5,479
  • 4
  • 23
  • 43
Ron Trunk
  • 66,852
  • 5
  • 65
  • 126
  • I should have revised the question. FQDN that's dynamically resolved via outside DNS. I can map things statically no problem, I was referring to FQDN objects. Any thoughts there? – A L Mar 17 '14 at 14:05
  • @AL I haven't actually tried it, but according to the docs, ASA doesn't care what interface the DNS server is on. See http://goo.gl/3zr9cB – Ron Trunk Mar 17 '14 at 18:01
  • Hey Ron, yeah I currently use external DNS in a few ACL entries, so configuring external DNS isn't the issue. The problem is that when you use FQDN's you have to make a network object containing them, and I'm not sure if that network-object type can be used in crypto maps or in aaa-server configs. – A L Mar 17 '14 at 20:48
  • @AL As I said, I don't have a spare ASA to test. It probably would be fastest just to try it. – Ron Trunk Mar 18 '14 at 00:07
  • I was finally able to get a test going, and can confirm your suggestion! as long as the interface you set in the aaa-server has a matching dns-lookup INTNAME and a name-server on the same interface that can resolve your hostname you're good. It worked for crypto maps too. Good stuff, thanks for the help! – A L Mar 18 '14 at 17:02