Replicas behind NAT

Does anyone have a replica behind NAT? One 10.4.7 server is an Open Directory Master 10.4.7 with a public address 66.92.134.160 on en0. Another 10.4.7 server has a private addreses of 192.168.10.20 on en0, which is behind a NAT device, translating the 192.168.10.20 into a public address. Each server only has one active interface. I see some choices: *Find a way to make server2 have its primary interface use a public address not private *Set up a (static site-to-site ?) VPN so that the ODM can contact server2 at 192.168.10.20 *Roll it all by hand When trying to make the second server a replica, things fail on Step 9 and then everything is undone. This is from Library/Logs/slapconfig.log: 22006-07-25 23:49:33 -0700 - 9 Enabling password server replication 2006-07-25 23:49:33 -0700 - command: /usr/sbin/NeST -setupreplica 66.92.134.160 diradmin **** 2006-07-25 23:49:34 -0700 - NeST command failed with status 78 2006-07-25 23:49:34 -0700 - Removing replica due to an error adding a Password Server replica. 2006-07-25 23:49:34 -0700 - command: ssh root@66.92.134.160 /usr/sbin/slapconfig -removereplica 192.168.10.20 2006-07-25 23:50:48 -0700 - command: /usr/sbin/sso_util remove -k -d -s -c -n -v 1 2006-07-25 23:50:59 -0700 - sso_util command output: shutting down kadmind kadmind shut down shutting down kdc No such process No such process kdc shut down removing kdc database files I was surprised that the syntax for NeST -setupreplica doesn't include any information about the candidate replica: NeST -setupreplica <ip address of master> <admin name> <admin password>