11-05-2014 09:24 AM - edited 03-05-2019 12:06 AM
I have a new ASA 5505 that I am configuring to protect an internal LAN segment. Everything is working well except when I go to ping a name of a PC that is behind the firewall DNS returns the internal address of the PC (192.168.1.XXX) instead of it's external (10.23.22.XXX) ip. Why is that happining and how to stop it? Thanks for any help very much!
11-05-2014 12:31 PM
It could be the DNS-doctoring on the ASA. Look for the keyword "dns" at the end of your NAT-statements and remove them.
11-06-2014 05:26 AM
Thanks very much - I removed the dns statement and it didn't seem to work.
11-06-2014 11:16 AM
If there actually were "DNS" keywords at the end of the NAT statements then I'm pretty sure that was the issue.
At this point, you may need to clear the xlate or flush-dns on your hosts. It could just be stale states.
11-05-2014 04:37 PM
I agree with Karsten.
See this document http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html
Do a search for and go to "DNS Doctoring with the "dns" Keyword".
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: