Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

DNS NAT translation

We have currently using 3600 routers to do NAT translation at the edge of our network, and these are working fine. We have decided to move this process over to ASA5520's, and are in the process of doing this.

We have one problem though, and it is a major headache. We have our own internal DNS servers, which external sites use to resolve names internal to us. This works when using the routers, but not when using the ASAs.

The problem is that when an external site uses nslookup to resolve a site behind the firewall the reply given is the true IP address of the device rather than the NAT?d entry. We can find several documents on this, but they all tend to refer to having the DNS on the outside of your network.

Any ideas on resolving this would be gratefully appreciated.

Hall of Fame Super Blue

Re: DNS NAT translation


DNS inspection should sort his out for you but it should be on by default.

You don't say which version of the software you are running but attached is a link to ASA 7.2 command reference for dns inspect and it's uses.



Community Member

Re: DNS NAT translation

Hi Jon,

Thanks for reply we are testing it now. the software we are running is 7.2



Hall of Fame Super Blue

Re: DNS NAT translation


No problem. Let me know how you get on.


Community Member

Re: DNS NAT translation

Hi Jon,

We have entered the following policy but are still getting the 'real' ip when an outside device queries the internal DNS server:

class-map inspection_default

match default-inspection-traffic


policy-map global_policy

class inspection_default

inspect dns

The DNS server has a static NAT translation, as does the particular device we are testing.


Static (inside, outside) dns

Any ideas?



Re: DNS NAT translation


Have you considered having the server resolve the addresses to the external addresses in the first place?

You could then hairpin users on the inside which would allow them to resolve to the external address as well.

Community Member

Re: DNS NAT translation

We have got the DNS inspection working now, but there does seem that a problem still persists.

People external to use can do successful DNS queries, but the TTL on the DNS entry is not being re-written. So after the NAT entry has expired after 30 minutes they have an invalid resolution.

Can anyone please advise on how to amend the TTL on DNS lookups?

CreatePlease to create content