I have a client with a PIX running 6.3 code.
They need to establish an IPSec Tunnel to one of their clients that has a Checkpoint firewall.
Both organizations are using 10.1.0.0 /16 and would like to nat the home office to 10.180.0.0 /16 and the remote client to 10.181.0.0.
The document on the Cisco website showing the PIX and the VPN Concentrator is less than helpful. I don't beleive the text describing the picture is correct.
Any help with the ACLs, and static NATs are greatly appreciated.
Apologies, should have asked. Which office has the pix and which the checkpoint. I'll write this out as though both ends were pix firewalls if that is alright and we can see if that helps.
access-list NAT permit ip 10.1.0.0 255.255.255.0 host 10.180.1.103
nat (inside) 3 access-list NAT
global (outside) 10.181.0.0 255.255.0.0
NOTE: You could just NAT all the source 10.1.x.x address to one global IP address rather than the whole 10.181.0.0/16, up to you really.
Your crypto map access-list then needs to reference the Natted 10.181.x.x addressing rather than the 10.1.0.0 addressing.
access-list vpntraffic permit ip 10.181.0.0 255.255.0.0 host 10.180.1.103
crpyto access-list should read
access-list vpntraffic permit ip host 10.180.1.103 10.181.0.0 255.255.0.0
And you will need a static translation for the inside client
static (inside,outside) 10.180.1.103 10.1.1.103 netmask 255.255.255.255
Does this help ?