Well, I do not have an exact example, but other than the VPN commands, basically what you need to do is double natting. here's what it would look like.. Basically, everyone is NATted and from site A, you appear to be 192.168.1.0 and B, 192.168.2.0.
On PIX A : you may reach site B with 192.168.2.0 addresses
hostname pixa isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encrypt 3des ! put PIX B address here... crypto isakmp key cisco1234 address 1.2.3.4 (PIX B ADDRESS) crypto ipsec transform-set strong esp-3des esp-sha-hmac
! Policy NAT access-list - specify conditions under which to NAT for VPN ! and match interesting VPN traffic access-list vpnnat permit ip 192.168.168.0 255.255.255.0 192.168.2.0
255.255.255.0 ! perhaps you may want to use : ! static (inside,outside) 192.168.1.0 netmask 255.255.255.0 access-list vpnnat ! or something similar.. not sure... instead of nat 1 and global1.. ! in both in site A and B. nat 1 (inside) access-list vpnnat global 1 (outside) 192.168.1.0 192.168.1.255 ! nat everyone else going to Internet nat (inside) 1 0 0 ! your public IP address or whatever PAT IP add you want global (outside) 1 a.b.c.d
crypto map mymap 20 ipsec-isakmp crypto map mymap 20 match address vpnnat crypto map mymap 20 set transform-set strong ! define remote peer crypto map mymap 20 set peer A.b.C.D crypto map mymap interface outside sysopt connection permit-ipsec
On PIX B : you may reach site A with 192.168.1.0 addresses
hostname pixb isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encrypt 3des ! put PIX A address here... crypto isakmp key cisco1234 address 1.2.3.4 (PIX A ADDRESS) crypto ipsec transform-set strong esp-3des esp-sha-hmac
! Policy NAT access-list - specify conditions under which to NAT for VPN access-list vpnnat permit ip 192.168.168.0 255.255.255.0 192.168.1.0
255.255.255.0 nat 1 (inside) access-list vpnnat global 1 (outside) 192.168.2.0 192.168.2.255 ! nat everyone else going to Internet nat (inside) 1 0 0 ! your public IP address or whatever PAT IP add you want global (outside) 1 a.b.c.d
crypto map mymap 20 ipsec-isakmp crypto map mymap 20 match address vpnnat crypto map mymap 20 set transform-set strong ! define remote peer crypto map mymap 20 set peer A.b.C.D crypto map mymap interface outside sysopt connection permit-ipsec