Cause it makes it all simple and does not require any split-dns views. e.g www.example.com 1.1.1.1 nated to dmz 172.16.10.2 :80 when you conduct the dns-lookup to the www.example.com, the external dns-server gives you back 1.1.1.1, but the firewall doctors the response and send you back 172.16.10.2. Without dns doctoring, the client on the inside would have tried to reach 1.1.1.1. Now for the op, have you seen this; http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11055&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=13977690&stateId=0%200%2013975726 I think that' s what your looking for.

I will take a look, Thanks,

The post was the opposite from the perspective of the client pc than what I need. The client pc' s are on the inside. The want to access www.myco.com for example. the public ip for myco is IE 64.64.64.64 and the private is 172.16.23.64 in a dmz zone. When the internal users try accessing the www.myco.com they get the public ip address not the private address in the DMZ. This could be accomplished with setting up seperate dns views or just seperate dns lookup zones. But they didnt have to setup anything when behind the ASA because it rewrote the packet payload, giving it the private ip address.

they dont have a windows or linux DNS server? DNS server is part of the 4.0 mr2 you can do this by pointing the domain to whatever ip address you want in A records.

Having a dns server is not the issue. DNS doctoring does not involve any dns server or modification to any dns records it simply rewrites payload data for machines with static nats.

If you want this to work i would look into Policy Routes.