I need to setup a LAN to LAN tunnel between my Pix515e 6.3(4) and an unknown remote Cisco device. The network admin at our parent company in France will be setting up their end, which is the unknown device.

Currently the PIX performs NAT between our private internal addresses to our Public external address.

For this IPSec tunnel, I need our PIX to NAT one private /24 subnet to another private /24 subnet before IPSec.

For example,

If I have an internal subnet 192.168.0.x. When traffic needs to go to France (10.40.1.x) via an IPSec tunnel, I want our Pix to NAT 192.168.0.x to 10.40.2.x prior to sending it through IPSec.

A) Is this possible?

B) What would my IPSEC ACL Look like for interesting traffic? Would it be 10.40.2.x 10.40.1.x?

We are trying to work around an overlapping subnet issue. The France side already has an IPSec tunnel to a location that overlaps with us.

I thought I read somewhere that IPSec happens before NAT which would indicate the ACL would need to be 192.168.0.x to 10.40.1.x. This might be an issue on the France side is they already have an ACL t0 192.168.0.x.

I sure hope this makes sense.

Denny