Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DNS rewrite for outside interface


For hosts on the dmz when connecting from the inside we use the static with dns command for dns rewrite (external dns) , but i would like to use this for the ip/dns on the outside interface to, is this somehow possible, to rewrite the external outside ip to the internal inside ip?

We don't have a dns on the inside for this, it's possible, but wanted to check if this was possible to configure on the firewall.



Re: DNS rewrite for outside interface

I'm not sure if I understand your questions correctly, but this link should help-

Cisco Employee

Re: DNS rewrite for outside interface


Your question is not very clear as to where your users/client and server would be located (which ifc of ASA).

Though what I understand, is that you want to have internal (behind inside ifc of ASA) users and you want them to be able to access an external website using an internal IP even though the external DNS server sends server's external IP address in the DNS reply.

So, here firewall needs to rewrite the DNS qreply packet coming back to client. This scenario of "Destination NAT" can be achieved as follows :

static (outside,inside) netmask dns



New Member

Re: DNS rewrite for outside interface

Thanks for replying, i'm not being really clear about this myself.

I would like to do like below but i understand thats not possible, just as an example for the dns rewrite.

static (outside,inside) <inside_interface_ip> <outside_interface_ip> netmask dns

When users on the inside connects to they get from the external dns the outside_interface_ip, so i would like the firewall to rewrite the dns reply with the inside_interface_ip instead.

This is only a one timer when we need to install the vpnclient and its smooth to use the webvpn functions for this and i use group alias for this and we use certficate authentication, so i would like to use the same dns name, but we dont have an dns on the inside for this, it's possible, but i wanted to check if i could get this to work with the firewall instead.

It is very like the scenario where we have resources on the dmz and both external users and inside users need to connect with dns address to the servers, for this we have the static nat with dns configured and works great, but i would like the same rewrite but from the outside_interface_ip to the inside_interface_ip.

Or get the inside users to connect to the vpn service on the outside interface.