ASA - using FQDN in an ACL

When configuring a Cisco ASA, it is possible to use a Fully Qualified Domain Name (FQDN) as part of an access list to filter traffic based on the IPv4 or IPv6 address that that particular FQDN resolves to using DNS. The syntax that can be used however is not as flexible as it is when using IP addresses.

For example, it is not possible to use wildcard masks within the FQDN statement in the network object. For example, the FQDN must begin and end with a digit or letter. Only letters, digits, and hyphens are allowed as internal characters. Labels are separated by a dot (for example, www.cisco.com.

The use of an FQDN network object with an access list is a solution that has limitations and some difficulties in implementation. There are certain best practices that should be adhered to to ensure proper operation. Having said that, there are more appropriate (and reliable) solutions that you can use such as using an external URL filtering server, or the application inspection feature on the ASA.

https://forum.networklessons.com/t/cisco-asa-allow-subdomain-by-fqdn/40379/2?u=lagapides

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/fe-fz-commands.html#wp9405198900

https://community.cisco.com/t5/security-knowledge-base/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480