Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

871 with IPSEC-i need to static NAT my DCs to internet but still use ipsec

two sites with a domain controller each.

two 871s (version 12.4<4>

IPSEC tunnel up and passing data - External router (public) interface overloading NAT for IPSEC traffic.

Objective - static NAT the DCs so the MX record has access from internet but - DC site A to DC site B communications go via the IPSEC tunnel - so, I added this to both sites.

ip nat inside source static local.DC.IP.Address DC.Ext.IP.Addr route-map NADANAT

access-list 150 deny ip host local.DC.IP.Address Far.End.Sub.Net 0.0.0.255

access-list 150 permit ip host local.DC.IP.Address any

route-map NADANAT permit 10

match ip address 150

Now I can't even ping the private IP to private IP of the DCs - all other private-to-private comms OK - tunnel up!

Things to note - I'm using the interface VLAN1 as my internal router interface

Any ideas?

3 REPLIES

Re: 871 with IPSEC-i need to static NAT my DCs to internet but s

Community Member

Re: 871 with IPSEC-i need to static NAT my DCs to internet but s

Alas no - I tried a ROUTE-MAP statement per above - no joy. Is it a limitation with the 871 router running 12.4<4>T8?

Here's my thinking for plan B

IPSEC 172.16.1.1-240 to 172.17.1-240

Address my DCs as 172.16.1.250 and 172.16.17.250 (outside tunnel range/No IPSEC)

Static Nat them for site-to-site comms and wack on an address list to limit MicroSoft comms only between them for replication - at least get some form of security on them.

Community Member

Re: 871 with IPSEC-i need to static NAT my DCs to internet but s

Woops Typo "wack on an ACCESS list" (not address list).

i.e.

Static Nat them for site-to-site comms and wack on an ACCESS list to limit MicroSoft comms only between DCs for replication - at least get some form of security on them

124
Views
0
Helpful
3
Replies
CreatePlease to create content