How to disable dns doctoring for IPSEC VPN connections for ASA 5510

domain-name-system nat cisco cisco-asa

Well, the client's on the outside interface - DNS doctoring is behaving exactly as intended, really.

Do you actually need DNS doctoring enabled on that translation? Are you serving public DNS from an internal server with the internal addresses, and just having doctoring catch that address on the way out the door?

If not, then just tear the dns off of your static line and you're all set.

If so, consider setting up a DNS server that just serves public DNS.

If you're set on keeping doctoring enabled, then I can think of one ugly workaround that should do it: two policy static translations - one for when the destination is internal with DNS doctoring disabled, then a lower priority one with doctoring enabled. Like I said: ugly.


Turns out that just by adding additional nat exclusions this disabled the dns doctoring. Essentially all traffic from the outside interface that is in the vpn ip pool needs to identified as no-nat to talk to the dmz and the inside interfaces correctly.

Related

I can't view any detailed log for Postfix under Centos
NVRAM for journals on Linux?
SSH tunneling and port forwarding
Do I need a hardware firewall for Win 2003?
Getting bind9 to answer on a Dual NIC machine?
Will the OID for a custom extend SNMP call be the same on multiple boxes?
eJabberd: room history is erased after server restart
SSH known_hosts holds duplicate keys for same server
git clone hangs during clone when using sshpass
NGINX redirect non-existent domains
Windows server 2008 web edition with SQL Server (Limits?)
When can I adjust partition sized in Leopard?