I am setting up a new VPN tunnel between two different companies. We need to perform AD Forest/Domain trust.

For the tunnel to work for the majority of users on the opposite end, I had to set up a NAT for their internal /18 network (192.168.0.0/18 (includes everything up to 192.168.63.255))

On my end I have other VPN tunnels that already use 192.168.11-21.x, so no way around the NAT for those networks at least.

So I was able to install a domain controller on their side for my domain, (thought it might speed some things up in the long run when come sot domain operations between the domains). It has a static IP of 192.168.6.9, but with the NAT in place my side sees 10.60.6.9. So when my remote DC syncs up it registers as the 192. IP, not the 10.60 IP, and therefore eventually breaks domain communication between my side and that DC.

What I am asking is, is it possible to exempt specific IPs (or even subnets) that exist within a bigger NAT scope?

I want to at least exempt 192.168.6.9/32 from NAT (at most exempt 192.168.6.0/24) so my end will see it as its true IP and keep in sync with domain controllers on my side.

Thanks,

Dirk