In article , wrote: :But my pix in Plant C is going to have a private IP. Plant C will start :the connection though.
Please quote appropriate context, to make it easier on those of us who go through a lot of postings.
You indicated in your initial posting that Plant C has a dynamic IP address from the ISP, and you indicate now that Plant C will have a private IP address. When you talk about private IP addresses, are you talking about the "inside" network, or are you saying that the ISP is assigning a dynamic *private* IP to C's PIX?
It doesn't really matter either way. As long as you are not trying to use traditional AH (Authentication Header), C's ISP can assign any IP it wants to the PIX (as long as it doesn't overlap the internal range!). When C's PIX initiates packets out to the public network, the packets will travel through the ISP's internal infrastructure to the ISP's gateway to the public network. At that point, if the ISP did happen to assign one of the RFC1918 private IP ranges to the PIX, the ISP will be responsible for performing NAT into a public IP, and it will be that public IP that will appear on the packets that reach your other hosts. When your hosts reply to that public IP, the replies will reach the ISP's gateway, and the ISP would then be responsible for any necessary NAT'ing to get into the IP address space that it had handed to C's PIX, and the ISP will then deliver the packets through its infrastructure in order to reach C's PIX.
If the ISP assigns a dynamic public IP to C's PIX, then the ISP will not need to do any NAT, but that won't affect the flow of packets in any significant way.
When you are using a crypto dynamic map at HQ to receive the IPSec packets from C's PIX, the -only- point at which you care about C's PIX IP address is in constructing an "isakmp key" shared key. For that particular statement, you would like the IP range narrowed down as much as feasible. PIX 6.x only allows you a single isakmp key with IP 0.0.0.0 mask 0.0.0.0, so to be able to handle multiple dynamic connections with different shared keys, you'd like to make the scope of the key as specific as you can to avoid overlaps.