DNS NAT translation

Unanswered Question

We have currently using 3600 routers to do NAT translation at the edge of our network, and these are working fine. We have decided to move this process over to ASA5520's, and are in the process of doing this.

We have one problem though, and it is a major headache. We have our own internal DNS servers, which external sites use to resolve names internal to us. This works when using the routers, but not when using the ASAs.

The problem is that when an external site uses nslookup to resolve a site behind the firewall the reply given is the true IP address of the device rather than the NAT?d entry. We can find several documents on this, but they all tend to refer to having the DNS on the outside of your network.

Any ideas on resolving this would be gratefully appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Hi Jon,

We have entered the following policy but are still getting the 'real' ip when an outside device queries the internal DNS server:

class-map inspection_default

match default-inspection-traffic


policy-map global_policy

class inspection_default

inspect dns

The DNS server has a static NAT translation, as does the particular device we are testing.


Static (inside, outside) dns

Any ideas?


acomiskey Wed, 07/11/2007 - 08:01


Have you considered having the server resolve the addresses to the external addresses in the first place?

You could then hairpin users on the inside which would allow them to resolve to the external address as well.

We have got the DNS inspection working now, but there does seem that a problem still persists.

People external to use can do successful DNS queries, but the TTL on the DNS entry is not being re-written. So after the NAT entry has expired after 30 minutes they have an invalid resolution.

Can anyone please advise on how to amend the TTL on DNS lookups?


This Discussion