Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Login to domain across a site-to-site VPN possible?

Hello,

I have a client who wants to convert a remote site from frame relay to a DSL internet connection. He then wants a site-to-site VPN tunnel, but here's the difficult part... he wants the remote site to be able to login across the VPN tunnel into the NT domain. Is that possible? If so, how? I would think that everyone at the remote site needs to run a VPN client, which they aren't using yet.

Oh BTW, the same internet connection needs to allow the remote users to browse the internet and be NAT'ed or PAT'ed because their internal network is 192.168.1.0. There's a PIX 501 on one end and a PIX 525 on the other.

Is this an unusual request or am I missing something?

Thanks in advance,

Tai

1 REPLY
Silver

Re: Login to domain across a site-to-site VPN possible?

Nah, this is all feasible.

Pix mojo:

Assuming the 501 is for the remote office, you will use:

nat (inside) 0 access-list nonat

nat (inside) 1 0 0 0 0

Create an access-list nonat that contains:

all possible source ip addresses for remote site and all possible destination remote address for local site.

If remote site is 192.168.1.0/24 and local is 192.168.2.0/24 then the acl looks lie:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

If you have more subnets, it gets longer as you need to figure out all possible permutations.

This setup will nat all traffic except for that going to the local office. NAT breaks all kinds of windows file/login/print stuff terribly. All internet traffic, failing to meet the access-lists permit rules, will hit the nat 1 rule, and just get NAT'd.

WIndows Side:

Do you have any servers in the remote site? Setting up a server with wins there, and configuring WINS replication across the vpn tunnel will help ensure that the remote user's network neighborhood contains all the local site's servers. Nonetheless, the remote site should be able to function fine without a server if need be - it just might need a bit more tweaking to get running.

Matt

104
Views
0
Helpful
1
Replies