How to disable dns doctoring for IPSEC VPN connections for ASA 5510
Well, the client's on the outside interface - DNS doctoring is behaving exactly as intended, really.
Do you actually need DNS doctoring enabled on that translation? Are you serving public DNS from an internal server with the internal addresses, and just having doctoring catch that address on the way out the door?
If not, then just tear the dns
off of your static
line and you're all set.
If so, consider setting up a DNS server that just serves public DNS.
If you're set on keeping doctoring enabled, then I can think of one ugly workaround that should do it: two policy static translations - one for when the destination is internal with DNS doctoring disabled, then a lower priority one with doctoring enabled. Like I said: ugly.
Turns out that just by adding additional nat exclusions this disabled the dns doctoring. Essentially all traffic from the outside interface that is in the vpn ip pool needs to identified as no-nat to talk to the dmz and the inside interfaces correctly.