Cisco ASA DNS doctoring/Guest wireless with external DNS

Recently, I setup a guest wireless network with external DNS. Clients were able to browse the Internet fine however, they were not able to access my company’s website. The problem I was facing was the external DNS was providing me with a public IP address to access my website. Technically I am an internal client within the network. I could change my host file and it would all work well but this was not a solution. I then came across the below website which introduced me to DNS doctoring.

http://www.hackandtinker.net/2013/08/22/guest-wireless-access-with-external-dns-while-maintaining-access-to-the-local-dmz/

By default, the Cisco ASA does not allow packets to return on the same interface it went out on. DNS doctoring allows the ASA to rewrite DNS A-records. DNS doctoring intercepts a return response from the outside DNS server and converts it to a private IP accessible by the guest client. Cisco states that DNS inspection must be enabled to perform DNS doctoring on the Cisco ASA.

For this to work, edit the required NAT statement and select the advanced button. In the Advanced NAT settings, select ‘Translate DNS replies for rule.’ You should now be able to browse to your company website using the guest wireless configured for external DNS.