Hi Sascha, I think it is better if I can illustrate with an example:
FWa has internal network of 192.168.1.0/24. FWa is a CP firewall FWb has internal network of 192.168.2.0/24. FWb is a CP firewall FWc has internal network of 192.168.2.0/24. FWc is a Pix firewall. you have site-to-site vpn between FWa and FWb. No problem so far. Now you are trying to establish site-2-site vpn between FWa and FWc. Problem indeed. Solution: NAT the internal network of FWa from 192.168.1.0/24 to 10.1.1.0/24. In other words, in the encryption domain of FWa, you will have two networks: 192.168.1.0/24 and 10.1.1.0/24. When you define an Inter-Operable Device for the Cisco Pix, you will have to include network 10.1.2.0/24 in the remote encryption domain. In the address translation tab, do this: source dest translate source trans destination 192.168.1.0/24 10.1.2.0/24 10.1.1.0/24 original 10.1.2.0/24 10.1.1.0/24 original 192.168.1.0/24 On the Cisco Pix side, the reverse is true. It is called policy nat on the pix side. In summary, from FWA, when you want to communicate with network behind the Cisco Pix, you will NAT the source to 10.1.1.0/24 and the destination will be 10.1.2.0/24. On the Pix side, the source will be 10.1.2.0/24 and destination will be 10.1.1.0/24. NO ip address of 192.168.x.0/24 will exist anywhere inside the VPN tunnel. Hope that makes sense to you. cisco4ng Sascha Picchiantano <[EMAIL PROTECTED]> wrote: Hi, closely related to the other question I asked a couple of days ago, I was just thinking about how to configure a site-to-site VPN if the remote peer uses IP addresses that I already use in another VPN. I guess I could just NAT his address range to whatever I like and I can work with, but what I can't figure out is what I would put into the encryption domain of the remote end's gateway object. His original addresses or the NAT addresses I defined? I figure that if I use the original addressses, it might not work because I already have these addresses in another encryption domain and VPN-1 could not decide which VPN to use...? But if I use the NAT addresses, wouldn't I see tons of "no valid SA" entries in my log because within the VPN tunnel the IP addresses are different than those in the enc domain...? Confusing. Hope my thoughts make sense to you and you can give me some enlightment :) Cheers Sascha ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
