VPN, NAT and Overlapping IP Space

Unanswered Question
Mar 27th, 2007
User Badges:

I'm needing to create a VPN tunnel between Bus-A and Bus-B

Bus-A has PIX506E running 6.3(5) that I admin

Bus-B has non-Cisco firewall (that I don't admin) and cannot NAT before IPSec

Bus-A has internal nets/routes same as Bus-B

Bus-A hosts on need to access hosts on Bus-B

Bus-A hosts on WILL NOT need to access hosts on Bus-B

How can I accomodate this on the PIX?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 03/27/2007 - 06:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


You need to do two things.

1) You will need to NAT your source IP addresses.

So for example you have on your pix 506E

nat (inside) 1

global (outside) 1 interface

which NAT's all traffic to the outside IP address of your pix.

This may not accurately reflect your NAT setup - you may need to modify.

2) You need to present the external hosts as different host within your network.

Do you know if there is a subset of the at the remote site you need to talk to ?

What you will need is a new subnet for site-A. Lets say you choose This subnet must be routable to the inside interface of your pix firewall.

On your pix you need to set up static translations for these addresses to the real addresses at the other end ie.

static (outside,inside) netmask

static (outside,inside) netmask


Now your users when they want to connect to at the remote site need to connect to You can setup DNS entries to make this easier for your users.




This Discussion