ASA - Using FQDN in an ACL for VPN split tunnelling

When configuring an ASA to operate using VPN split tunneling, we must use an ACL to identify what networks are to be reached via the tunnel. In such an ACL, it is not possible to refer to an FQDN.

A Cisco ASA does support the use of an FQDN as part of an access list however, it does not support such an arrangement for access lists used for VPN split tunnelling.

This is due to the way the ASA handles DNS. The ASA is not capable of doing DNS lookups in real-time for each packet that traverses the firewall. Therefore, it can’t resolve FQDNs in access-lists that are applied to VPN tunnels, because the ASA would need to resolve the FQDN to an IP address each time a packet that matches the access-list is processed.