Anyconnect DNS doctoring

lcthasenhod · ‎02-13-2024

Hi All,

I have a problem figuring out how to make the ASA/FTD send back to correct ip, i have 3 interfaces, and dns server is google.

outside - 6.6.6.6 - vpn.example.com (works)

inside - 10.10.10.1 - i want to rewrite vpn.example.com to this ip when you are connected to inside

guest - 10.10.20.1 - i want to rewrite vpn.example.com to this ip when you are connected to guest

I have enabled anyconnect to connect to all 3 interfaces, but the ASA/FTD wont let me make a DNS rewrite on its own interfaces, please assist.

MHM Cisco World · ‎02-13-2024

Using fmc

Add nat rule

In advanced tab

There is option to translate DNS, this is same as dns doctor in previous Asa platforms.

But this option you can only use when you have NAT 1:1

And make sure the anyconnect ask the internal DNS server via vpn not it public DNS server learn from ISP. (tunnel all)

MHM

trossard · ‎02-12-2025

To configure DNS rewriting on ASA/FTD, use a 1:1 NAT rule with DNS translation and enable Tunnel All in AnyConnect to ensure DNS traffic uses the internal server. If you’re encountering issues like nulls brawl it could indicate configuration problems.

davidlara8240 · ‎06-23-2025

thanks for sharing this suchb an amazing content

wajidhassan · ‎06-27-2025

To rewrite vpn.example.com to different internal IPs based on the connected interface, configure 1:1 NAT rules with DNS translation enabled under the advanced NAT settings. Also, ensure AnyConnect clients use internal DNS servers by enabling the "Tunnel All" option to avoid DNS resolution via public servers.

SprunkiRetake · ‎10-02-2025

I ran into a similar issue with DNS rewrite on ASA when dealing with multiple interfaces—it’s tricky since ASA won’t rewrite its own interface IPs easily. What worked for me was setting up split Sprunki Retake DNS using internal DNS servers instead of relying on Google. Also, playing during those long config sessions definitely kept the frustration in check!