two sites with a domain controller each.
two 871s (version 12.4<4>
IPSEC tunnel up and passing data - External router (public) interface overloading NAT for IPSEC traffic.
Objective - static NAT the DCs so the MX record has access from internet but - DC site A to DC site B communications go via the IPSEC tunnel - so, I added this to both sites.
ip nat inside source static local.DC.IP.Address DC.Ext.IP.Addr route-map NADANAT
access-list 150 deny ip host local.DC.IP.Address Far.End.Sub.Net 0.0.0.255
access-list 150 permit ip host local.DC.IP.Address any
route-map NADANAT permit 10
match ip address 150
Now I can't even ping the private IP to private IP of the DCs - all other private-to-private comms OK - tunnel up!
Things to note - I'm using the interface VLAN1 as my internal router interface