DNS Issue due to translation

Unanswered Question
Apr 6th, 2010
User Badges:

Hey Everyone,

I am facing a DNS issue due to NAT, i think dns doctoring can solve this but the scenario is a little different so not sure of the exact solution.

Attached is the network diagram. Exchange Server , DNS and Domain Controller are all located on a single physical server which has an IP Both the server and the intenal users reside on the inside subnet. In the DNS the name-to-IP mapping is for example srv.abc.com -> The Inside users have no connectivity issue.

The server is translated to when accessing the outside network, this is a static translation

static (Inside,Outside) netmask

The Branch users when they access they try to resolve srv.abc.com get the mapping to which does not allow communication using name as Branch users cannot access but they can access

What needs to be configured on the ASA to resolve this issue ?

will this work

static (Inside,Outside) netmask dns




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Tue, 04/06/2010 - 04:07
User Badges:
  • Cisco Employee,

Yes, dns doctoring will work as long as the branch user uses as its dns server for dns resolution.

Muhammad Zeesha... Tue, 04/06/2010 - 06:07
User Badges:


It didn't work. I specified the command using dns keyword and flushed the DNS on the Branch host, the host still resolves the name of the server to Is there any other thing which needs to be done.


Zeeshan Sanaullah

Jennifer Halim Tue, 04/06/2010 - 06:17
User Badges:
  • Cisco Employee,

Is the user using the public ip address of the HQ dns server for dns resolution? It will only work if the dns request passes through the HQ ASA where the static with "dns" keyword is configured, and the reply goes back through the ASA as well.

Can you please confirm what DNS server is used at your branch host?

Muhammad Zeesha... Tue, 04/06/2010 - 06:37
User Badges:

The Branch user has configured as the DNS Server. Yes the DNS request passes through the ASA.

Muhammad Zeesha... Tue, 04/06/2010 - 23:31
User Badges:

DNS Inspection is on ... as shown below

class-map inspection_default

match default-inspection-traffic

policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect esmtp
  inspect dns
  inspect http

Kureli Sankar Wed, 04/07/2010 - 05:00
User Badges:
  • Cisco Employee,

Remove the "dns" keyword from the static. This should resolve the issue.

The inside hosts are getting resolution from the inside DNS and they are wroking fine.

The outside folks do not need to get the inside IP upon resolving so, remove the dns keyword from the static.


Muhammad Zeesha... Wed, 04/07/2010 - 08:21
User Badges:


The actual configuration is without dns keyword. I added dns keyword to see if the issue resolves but it did not.

Outside hosts when they resolve srv.abc.com they get but they should get after dns keyword is entered.


The ASA OS version is 7.07  ... can it be software issue ???



Kureli Sankar Wed, 04/07/2010 - 08:30
User Badges:
  • Cisco Employee,

Can you temporarily just remove dns inspection and see if this works. If it does then we can exclude dns inspection for this remote network and add dns inspection for all other traffic.



This Discussion