ASA Forwarding Internal IP's to DNS

pgriffin7 · ‎11-05-2014

I have a new ASA 5505 that I am configuring to protect an internal LAN segment. Everything is working well except when I go to ping a name of a PC that is behind the firewall DNS returns the internal address of the PC (192.168.1.XXX) instead of it's external (10.23.22.XXX) ip. Why is that happining and how to stop it? Thanks for any help very much!

Karsten Iwen · ‎11-05-2014

It could be the DNS-doctoring on the ASA. Look for the keyword "dns" at the end of your NAT-statements and remove them.

pgriffin7 · ‎11-06-2014

Thanks very much - I removed the dns statement and it didn't seem to work.

LA-Engineer · ‎11-06-2014

If there actually were "DNS" keywords at the end of the NAT statements then I'm pretty sure that was the issue.

At this point, you may need to clear the xlate or flush-dns on your hosts. It could just be stale states.

LA-Engineer · ‎11-05-2014

I agree with Karsten.

See this document http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/72273-dns-doctoring-3zones.html

Do a search for and go to "DNS Doctoring with the "dns" Keyword".