Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Login to domain across a site-to-site VPN possible?


I have a client who wants to convert a remote site from frame relay to a DSL internet connection. He then wants a site-to-site VPN tunnel, but here's the difficult part... he wants the remote site to be able to login across the VPN tunnel into the NT domain. Is that possible? If so, how? I would think that everyone at the remote site needs to run a VPN client, which they aren't using yet.

Oh BTW, the same internet connection needs to allow the remote users to browse the internet and be NAT'ed or PAT'ed because their internal network is There's a PIX 501 on one end and a PIX 525 on the other.

Is this an unusual request or am I missing something?

Thanks in advance,



Re: Login to domain across a site-to-site VPN possible?

Nah, this is all feasible.

Pix mojo:

Assuming the 501 is for the remote office, you will use:

nat (inside) 0 access-list nonat

nat (inside) 1 0 0 0 0

Create an access-list nonat that contains:

all possible source ip addresses for remote site and all possible destination remote address for local site.

If remote site is and local is then the acl looks lie:

access-list nonat permit ip

If you have more subnets, it gets longer as you need to figure out all possible permutations.

This setup will nat all traffic except for that going to the local office. NAT breaks all kinds of windows file/login/print stuff terribly. All internet traffic, failing to meet the access-lists permit rules, will hit the nat 1 rule, and just get NAT'd.

WIndows Side:

Do you have any servers in the remote site? Setting up a server with wins there, and configuring WINS replication across the vpn tunnel will help ensure that the remote user's network neighborhood contains all the local site's servers. Nonetheless, the remote site should be able to function fine without a server if need be - it just might need a bit more tweaking to get running.