well, yes and no. Let say that you use 10.0.0.0/8 and your partner also uses 10.0.0.0/8 then you have no choice but to NAT on both sides such as you will NAT your side to 129.0.0.0/8 and the other side will NAT to 130.0.0.0/8 in order for this to work. Yes, NAT on checkpoint is so much easier to configure than on Cisco Pix. Essentially you will see this on the Pix as:
access-list nat permit ip 10.0.0.0 255.0.0.0 129.0.0.0 255.0.0.0 static (inside,outside) access-list nat 130.0.0.0 netmask 255.0.0.0 access-list vpn permit ip 130.0.0.0 255.0.0.0 129.0.0.0 255.0.0.0 crypto map vpn 10 ipsec-isakmp crypto map vpn 10 match address vpn (it's been while since I work with policy nat so you may have to check the syntax) yes, it will work. Onc thing to keep in mind, some applications will not work with NAT like Citrix because the actually IP address is embeded inside the payload but other apps will work, so be aware of this. Good luck "Paolo Riviello www.paoloriviello.com" <[EMAIL PROTECTED]> wrote: Sascha, if they are unable to use NAT, you can NAT their overlapping ip adress by yourself in your side of the tunnel... -- Paolo Riviello If men could get pregnant, abortion would be a sacrament. -H- >From: Sascha Picchiantano >Reply-To: Mailing list for discussion of Firewall-1 > >To: [EMAIL PROTECTED] >Subject: [FW-1] VPN between R55 and Cisco PIX >Date: Fri, 13 Apr 2007 09:30:28 +0200 > >Hi there, > >we (R55) are in the process of setting up a site-to-site VPN with a Cisco >PIX. The far end is not managed by us. Problem: Internal address range >overlay - they already use some of the 10.x.x.x addresses that we use. >Usually I solve this by just natting and I told them to source NAT our >addresses to whatever he can deal with. > >The other guy claims that this will not work because or encryption domain >does not include his NAT addresses and thus our gateway will keep sending >him IKE messages that we want to connect with 10.x.x.x (or build the >tunnel with 10.x). As a result, the tunnel would not even come up because >his end is not expecting 10.x but his NAT addresses. No payload packets >would flow into his end and he would never be able to NAT anything. > >I remember doing the same thing on my end without problems, e.g. I natted >someone elses addresses to my liking and the tunnels would still come up. > >I am not as much of an expert that I could exactly tell what hapens in >phase1 and phase2 to rule out what he claims, but I think he is wrong? > >If anyone could shed some light on this for me I'd greatly appreciate it. > >Thanks :) > >Sascha > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= _________________________________________________________________ C'è una nuova amica su Messenger… E' Doretta! http://www.doretta82.it ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
