Keeping same IP over VPN

You posted a question involving Checkpoint firewalls to a Cisco newsgroup, so I will answer in terms of Cisco equipment.

With Cisco PIX, ASA, FWSM, or regular Firewall Feature Set on routers, you would not be able to do this if all of the NS5GT are connecting to the same interface via IPSec, and if all of the NS5GT are sending the same untranslated IP range to the Cisco equipment. You could possibly get things to work under those conditions if the NS5GT could connect out via PPTP to the Cisco device: each PPTP connection would be allocated a different point-to-point link address.

If you can get the NS5GT's to NAT the IPs as they send it over the VPN towards the Cisco equipment, each NS5GT to a different source address (or source net), then all of the Cisco equipment types listed above would be able to handle the situation.

However, if you were to use the Cisco equipment as a hub to cross-connect the traffic for the four offices, all tunneling to the same interface, then you would you would need a relatively new IOS version for the Cisco routers (12.4 probably, 12.3T just might have the capability), and you would need PIX software version 7.x (which is not available for all the PIX models currently being sold.)

Cisco has example configurations of setting up VPNs when there are overlapping address ranges, and a few times in the past I have posted PIX configurations for this purpose. I have not, though, posted any hub-and-spoke configurations.

Cisco has a feature in newer router IOS versions, DMVPN, Dynamic Multipoint VPN, which would be well suited for a spoke and hub configuration, but it probably requires Cisco equipment at all points.

If you are asking about cross-connecting the four NS5GT -without- using any additional equipment, then you have asked in the wrong newsgroup ;-)