Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
245
Views
0
Helpful
1
Replies

Login to domain across a site-to-site VPN possible?

taikenison
Level 1
Level 1

‎02-11-2003 09:42 PM - edited ‎02-21-2020 12:20 PM

Hello,

I have a client who wants to convert a remote site from frame relay to a DSL internet connection. He then wants a site-to-site VPN tunnel, but here's the difficult part... he wants the remote site to be able to login across the VPN tunnel into the NT domain. Is that possible? If so, how? I would think that everyone at the remote site needs to run a VPN client, which they aren't using yet.

Oh BTW, the same internet connection needs to allow the remote users to browse the internet and be NAT'ed or PAT'ed because their internal network is 192.168.1.0. There's a PIX 501 on one end and a PIX 525 on the other.

Is this an unusual request or am I missing something?

Thanks in advance,

Tai

Labels:
0 Helpful
1 Reply 1

mostiguy
Level 6
Level 6

‎02-12-2003 08:55 AM

Nah, this is all feasible.

Pix mojo:

Assuming the 501 is for the remote office, you will use:

nat (inside) 0 access-list nonat

nat (inside) 1 0 0 0 0

Create an access-list nonat that contains:

all possible source ip addresses for remote site and all possible destination remote address for local site.

If remote site is 192.168.1.0/24 and local is 192.168.2.0/24 then the acl looks lie:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

If you have more subnets, it gets longer as you need to figure out all possible permutations.

This setup will nat all traffic except for that going to the local office. NAT breaks all kinds of windows file/login/print stuff terribly. All internet traffic, failing to meet the access-lists permit rules, will hit the nat 1 rule, and just get NAT'd.

WIndows Side:

Do you have any servers in the remote site? Setting up a server with wins there, and configuring WINS replication across the vpn tunnel will help ensure that the remote user's network neighborhood contains all the local site's servers. Nonetheless, the remote site should be able to function fine without a server if need be - it just might need a bit more tweaking to get running.

Matt

0 Helpful
Customers Also Viewed These Support Documents