PIX VPN

I think it's masquerade, I'm not a cisco guy....

RedForeman

You want to avoid NAT when using IPSeC.

Bad. You should seriously tink about changing the addresses for one network.

Wolfgang

You can use a normal nat/global pair -- in fact, you can use exactly the nat/global pair you probably already have in place for regular internet traffic.

The key you have to remember is that crypto map match-address gets processed *after* NAT, so in your source address field for the match-address ACL, you will need to put the translated address. If you are using PIX 6.2 or later, that translated address would be the keyword 'interface' followed by the interface name.

access-list vpn2HQ permit ip interface outside 123.45.56.0 255.255.255.0

You'll be okay as long as you address the public IPs corresponding to the remote resource.

It -is- possible on the PIX to arrange two overlapping LAN IP ranges to talk to each other over VPN, provided that you can arrange that they refer to each other by different addresses. For example if the LAN on each is 192.168.1.0/24 then you could arrange so that packets from one LAN addressed to 192.168.2.0/24 are forwarded to the corresponding 192.168.1.0/24 address on the other LAN, and on that second LAN, packets addressed to 192.168.3.0/24 are forwarded to the corresponding 192.168.1.0/24 address on the first LAN. However, you can not set it up so that you address everything by 192.168.1.0/24 addresses and the firewall "somehow" figures out which side of the VPN the target address is on. (Possibly that could be done with PIX 7.)

Well, I'd recommend to try to stick to the rule of thumb and avoid NAT between networks connected via VPN.

Of course I see the point that changing the addresses of one network can be a bit of a problem but after a few days of pain and problems the problems are usually gone. With NAT and VPN other problems occur and will often last for quite a long time.

Wolfgang