My reading seems to suggest that DNS Doctoring will be incompatible across a site-to-site VPN with an overlapping network range. I wish to setup an AD trust / DNS Forwarding between 2 x sites. I have a Domain Controller / DNS server on Site A: 10.0.1.0/24 and a remote site, Site B: 10.0.5.0/24 (reachable via a site-to-site VPN) that needs to access it. The problem is that Site B is connected to a WAN on which another office is connected that also uses 10.0.1.0/24. Clearly NAT is required to translate the overlapping addresses space between Site A and B. When building the crypto ACL using twice NAT I don't believe that I can use DNS doctoring to translate the A record for 10.0.1.1 to 192.168.1.1 as Object NAT (with the DNS keyword) won't be matched, i.e. twice NAT will take priority. See end of the following URL. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html I'm assuming that my best course of action is to use a second Firewall behind my ASA (VPN Firewall) to do the translation of the A Record for the remote site and then the ASA (VPN Firewall) for the VPN itself. Can anyone offer any guidance please. Regards Darren