«

We are trying to use an IPSEC tunnel to have an outside
company access one of our host systems, but our local subnets are
identical. What is the best way to allow the underlying systems to
communicate? Can we publish an external address through our PIX and
NAT the address to a different subnet or is there another way to make
the inside address appear to be an external address?
I have read the example on connecting two routers with IPSEC
and identical subnets. Does anyone have any experience applying the
example to a PIX. Is this type of setup usual and recommended?
The outside company doesn't allow for opening any ports, they
funnel all traffic through a proxy and will only consider establishing
an external IP address for IPSEC.

Thank you,

Stacey

In article <>,
Saucy Levine <> wrote:
: We are trying to use an IPSEC tunnel to have an outside
:company access one of our host systems, but our local subnets are
:identical. What is the best way to allow the underlying systems to
:communicate? Can we publish an external address through our PIX and
:NAT the address to a different subnet or is there another way to make
:the inside address appear to be an external address?

NAT will be done for IPSec traffic unless you exempt it using
static or nat 0 (usually using nat 0 access-list). There should
not be any problem using "outside nat" to make them -appear- to be
at a different IP address.


As they will not be permitting you to make any new connections to them,
I would suggest using something like

nat (outside) 192.168.123.0 255.255.255.0
global (inside) 10.168.123.1 netmask 255.255.255.0

to make -their- 192.168.123/24 appear to your network as 10.168.123.1/24

If connections were being permitted in both directions, then 'static'
would be more appropriate.
--
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec