Login to domain across a site-to-site VPN possible?
I have a client who wants to convert a remote site from frame relay to a DSL internet connection. He then wants a site-to-site VPN tunnel, but here's the difficult part... he wants the remote site to be able to login across the VPN tunnel into the NT domain. Is that possible? If so, how? I would think that everyone at the remote site needs to run a VPN client, which they aren't using yet.
Oh BTW, the same internet connection needs to allow the remote users to browse the internet and be NAT'ed or PAT'ed because their internal network is 192.168.1.0. There's a PIX 501 on one end and a PIX 525 on the other.
Is this an unusual request or am I missing something?
Re: Login to domain across a site-to-site VPN possible?
Nah, this is all feasible.
Assuming the 501 is for the remote office, you will use:
nat (inside) 0 access-list nonat
nat (inside) 1 0 0 0 0
Create an access-list nonat that contains:
all possible source ip addresses for remote site and all possible destination remote address for local site.
If remote site is 192.168.1.0/24 and local is 192.168.2.0/24 then the acl looks lie:
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
If you have more subnets, it gets longer as you need to figure out all possible permutations.
This setup will nat all traffic except for that going to the local office. NAT breaks all kinds of windows file/login/print stuff terribly. All internet traffic, failing to meet the access-lists permit rules, will hit the nat 1 rule, and just get NAT'd.
Do you have any servers in the remote site? Setting up a server with wins there, and configuring WINS replication across the vpn tunnel will help ensure that the remote user's network neighborhood contains all the local site's servers. Nonetheless, the remote site should be able to function fine without a server if need be - it just might need a bit more tweaking to get running.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...