02-11-2008 07:27 AM - edited 02-21-2020 03:33 PM
two sites with a domain controller each.
two 871s (version 12.4<4>
IPSEC tunnel up and passing data - External router (public) interface overloading NAT for IPSEC traffic.
Objective - static NAT the DCs so the MX record has access from internet but - DC site A to DC site B communications go via the IPSEC tunnel - so, I added this to both sites.
ip nat inside source static local.DC.IP.Address DC.Ext.IP.Addr route-map NADANAT
access-list 150 deny ip host local.DC.IP.Address Far.End.Sub.Net 0.0.0.255
access-list 150 permit ip host local.DC.IP.Address any
route-map NADANAT permit 10
match ip address 150
Now I can't even ping the private IP to private IP of the DCs - all other private-to-private comms OK - tunnel up!
Things to note - I'm using the interface VLAN1 as my internal router interface
Any ideas?
02-12-2008 12:34 PM
I have run into this problem. Here's what fixed it for me.
http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
HTH
02-13-2008 12:39 AM
Alas no - I tried a ROUTE-MAP statement per above - no joy. Is it a limitation with the 871 router running 12.4<4>T8?
Here's my thinking for plan B
IPSEC 172.16.1.1-240 to 172.17.1-240
Address my DCs as 172.16.1.250 and 172.16.17.250 (outside tunnel range/No IPSEC)
Static Nat them for site-to-site comms and wack on an address list to limit MicroSoft comms only between them for replication - at least get some form of security on them.
02-13-2008 05:14 AM
Woops Typo "wack on an ACCESS list" (not address list).
i.e.
Static Nat them for site-to-site comms and wack on an ACCESS list to limit MicroSoft comms only between DCs for replication - at least get some form of security on them
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: