https://community.cisco.com/t5/network-security/dns-doctoring-site-to-site-vpn/m-p/3688262#M12863 My reading seems to suggest that DNS Doctoring will be incompatible across a site-to-site VPN with an overlapping network range. I wish to setup an AD trust / DNS Forwarding between 2 x sites. I have a Domain Controller / DNS server on Site A: 10.0.1.0/24 and a remote site, Site B: 10.0.5.0/24 (reachable via a site-to-site VPN) that needs to access it. The problem is that Site B is connected to a WAN on which another office is connected that also uses 10.0.1.0/24. Clearly NAT is required to translate the overlapping addresses space between Site A and B. When building the crypto ACL using twice NAT I don't believe that I can use DNS doctoring to translate the A record for 10.0.1.1 to 192.168.1.1 as Object NAT (with the DNS keyword) won't be matched, i.e. twice NAT will take priority. See end of the following URL. <A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html</A> I'm assuming that my best course of action is to use a second Firewall behind my ASA (VPN Firewall) to do the translation of the A Record for the remote site and then the ASA (VPN Firewall) for the VPN itself. Can anyone offer any guidance please. Regards Darren Fri, 21 Feb 2020 16:06:21 GMT darreng 2020-02-21T16:06:21Z https://community.cisco.com/t5/network-security/dns-doctoring-site-to-site-vpn/m-p/3688262#M12863 My reading seems to suggest that DNS Doctoring will be incompatible across a site-to-site VPN with an overlapping network range. I wish to setup an AD trust / DNS Forwarding between 2 x sites. I have a Domain Controller / DNS server on Site A: 10.0.1.0/24 and a remote site, Site B: 10.0.5.0/24 (reachable via a site-to-site VPN) that needs to access it. The problem is that Site B is connected to a WAN on which another office is connected that also uses 10.0.1.0/24. Clearly NAT is required to translate the overlapping addresses space between Site A and B. When building the crypto ACL using twice NAT I don't believe that I can use DNS doctoring to translate the A record for 10.0.1.1 to 192.168.1.1 as Object NAT (with the DNS keyword) won't be matched, i.e. twice NAT will take priority. See end of the following URL. <A href="https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html</A> I'm assuming that my best course of action is to use a second Firewall behind my ASA (VPN Firewall) to do the translation of the A Record for the remote site and then the ASA (VPN Firewall) for the VPN itself. Can anyone offer any guidance please. Regards Darren Fri, 21 Feb 2020 16:06:21 GMT https://community.cisco.com/t5/network-security/dns-doctoring-site-to-site-vpn/m-p/3688262#M12863 darreng 2020-02-21T16:06:21Z