871 with IPSEC-i need to static NAT my DCs to internet but still use ipsec

geraghtyconor · ‎02-11-2008

two sites with a domain controller each.

two 871s (version 12.4<4>

IPSEC tunnel up and passing data - External router (public) interface overloading NAT for IPSEC traffic.

Objective - static NAT the DCs so the MX record has access from internet but - DC site A to DC site B communications go via the IPSEC tunnel - so, I added this to both sites.

ip nat inside source static local.DC.IP.Address DC.Ext.IP.Addr route-map NADANAT

access-list 150 deny ip host local.DC.IP.Address Far.End.Sub.Net 0.0.0.255

access-list 150 permit ip host local.DC.IP.Address any

route-map NADANAT permit 10

match ip address 150

Now I can't even ping the private IP to private IP of the DCs - all other private-to-private comms OK - tunnel up!

Things to note - I'm using the interface VLAN1 as my internal router interface

Any ideas?

Collin Clark · ‎02-12-2008

I have run into this problem. Here's what fixed it for me.

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

HTH

geraghtyconor · ‎02-13-2008

Alas no - I tried a ROUTE-MAP statement per above - no joy. Is it a limitation with the 871 router running 12.4<4>T8?

Here's my thinking for plan B

IPSEC 172.16.1.1-240 to 172.17.1-240

Address my DCs as 172.16.1.250 and 172.16.17.250 (outside tunnel range/No IPSEC)

Static Nat them for site-to-site comms and wack on an address list to limit MicroSoft comms only between them for replication - at least get some form of security on them.

geraghtyconor · ‎02-13-2008

Woops Typo "wack on an ACCESS list" (not address list).

i.e.

Static Nat them for site-to-site comms and wack on an ACCESS list to limit MicroSoft comms only between DCs for replication - at least get some form of security on them