Hi there,
we (R55) are in the process of setting up a site-to-site VPN with a
Cisco PIX. The far end is not managed by us. Problem: Internal
address range overlay - they already use some of the 10.x.x.x
addresses that we use. Usually I solve this by just natting and I
told them to source NAT our addresses to whatever he can deal with.
The other guy claims that this will not work because or encryption
domain does not include his NAT addresses and thus our gateway will
keep sending him IKE messages that we want to connect with 10.x.x.x
(or build the tunnel with 10.x). As a result, the tunnel would not
even come up because his end is not expecting 10.x but his NAT
addresses. No payload packets would flow into his end and he would
never be able to NAT anything.
I remember doing the same thing on my end without problems, e.g. I
natted someone elses addresses to my liking and the tunnels would
still come up.
I am not as much of an expert that I could exactly tell what hapens
in phase1 and phase2 to rule out what he claims, but I think he is
wrong?
If anyone could shed some light on this for me I'd greatly appreciate
it.
Thanks :)
Sascha
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
