Cisco PIX - DNS Issue when using VPN (Public IP received in reply when pinging internal hosts)

I inherited a Cisco PIX firewall running IOS 6.3. VPN is configured and working fine however I noticed an issue when logged into VPN. When pinging an internal host with a private IP address, I get the associated public IP address of the server.

For example, when pinging domain.local which should have an IP address of ( I get a response of 74.x.x.x. Interesting fact is that this only happens for servers which have a static mapping of external IP to internal IP such as Microsoft Exchange.

This is causing issues when trying to resolve internal IP address of my exchange.

When running ipconfig i see the correct DNS server listed. Any direction where to begin would be appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To begin with...

Try nslookup your local exchange against DNS server which is configured at your workstation. If it would return public IP address of exchange then there are chances that it is configured in your local DNS. If not, then check host file at your workstation. The idea is to determine a source of dns response. The final variant though very unlikely is that your domain.local is really configured at public DNS in the Internet and your local DNS forwards requests to the Internet. I.e. you may check your DNS resolution in detail.
bbwondersAuthor Commented:
Actually I checked all of that even before i posted.

When doing an Nslookup set type=A for my exchange server using my own workstation or any workstation that is connected to VPN I get the public IP of the server instead of the private IP.

Also I checked the DNS forwarders on my DNS server and its not being forwarded to my ISP's DNS. Plus .local is not a valid top level domain.

I still think it has something to do with the PIX firewall modifying the address.
Default Server:  dns.domain.local

> set type=A
> exchange.domain.local
Server:  dns.domain.local

Name:    exchange.domain.local
Address:  74.x.x.x

Open in new window

bbwondersAuthor Commented:
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

If your workstation IP config does not use your PIX as DNS then it has nothing to do with that case.  And anyway, if PIX serves as DNS or not, the text which you have posted makes me thihk that your local DNS server configuration contains A record for exchange.domain.local with public address.
bbwondersAuthor Commented:
Ok then riddle me this.

When i do an nslookup from a host that is internal and not connected to VPN (I RDP in the box) and is using the same DNS, how come I am getting an IP that is internal.

When i do a nslookup (not necessarily my computer) any machine connecting via VPN, the same DNS is providing a public IP address.

I am lost now....
Hello there,

Verify your NONAT statment, once i was dealing with this problem, and the issue was in the no nat.

If you see everything OK, try to post your config, to see if there's other problem causing this.!

bbwondersAuthor Commented:
Good catch, I see the NoNAT statement in there also interestingly i see an alias for my host to my public IP of 74.x.x.x.x

I think thats where its coming from. Not sure why Alias is being used. See config below, I have edited it for security reasons of course.

Any direction would be appreciated.
sh access-list
access-list NoNAT; 1 elements
access-list NoNAT line 1 permit ip 172.x.x.x

sh run
nat (inside) 0 access-list NoNAT
nat (inside) 1 0 0
alias (inside) 74.x.x.x
static (inside,outside) 74.x.x.x netmask 0 0

Open in new window

bbwondersAuthor Commented:
I was able to resolve this myself by removing the alias for the IP on the PIX.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.