09-17-2016 09:40 AM - edited 03-05-2019 07:05 AM
I am setting up a new VPN tunnel between two different companies. We need to perform AD Forest/Domain trust.
For the tunnel to work for the majority of users on the opposite end, I had to set up a NAT for their internal /18 network (192.168.0.0/18 (includes everything up to 192.168.63.255))
On my end I have other VPN tunnels that already use 192.168.11-21.x, so no way around the NAT for those networks at least.
So I was able to install a domain controller on their side for my domain, (thought it might speed some things up in the long run when come sot domain operations between the domains). It has a static IP of 192.168.6.9, but with the NAT in place my side sees 10.60.6.9. So when my remote DC syncs up it registers as the 192. IP, not the 10.60 IP, and therefore eventually breaks domain communication between my side and that DC.
What I am asking is, is it possible to exempt specific IPs (or even subnets) that exist within a bigger NAT scope?
I want to at least exempt 192.168.6.9/32 from NAT (at most exempt 192.168.6.0/24) so my end will see it as its true IP and keep in sync with domain controllers on my side.
Thanks,
Dirk
Solved! Go to Solution.
09-18-2016 07:01 AM
Hello Dirk,
you could use an extended ACL and apply it your your inside NAT interface. The ACL would specify which address to translate and which not.
access-list natexempt deny ip 192.168.6.0 0.0.0.255 any
access-list natexempt deny ip 192.168.6.9 0.0.0.0 any
access-list natexempt permit ip any any
09-18-2016 07:01 AM
Hello Dirk,
you could use an extended ACL and apply it your your inside NAT interface. The ACL would specify which address to translate and which not.
access-list natexempt deny ip 192.168.6.0 0.0.0.255 any
access-list natexempt deny ip 192.168.6.9 0.0.0.0 any
access-list natexempt permit ip any any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: