I've got several sites with IPSEC tunnels built between PIX firewalls to encrypt/sign the traffic moving between the "inside" networks on those firewalls. These sites use identity nat where every inside address is directly natted to the same address on the outside i.e. STATIC(inside, outside) 10.164.4.0 10.164.24.0 netmask 255.255.255.0.
But I've just added a new site where things are different. The WAN link terminates on the inside of the firewall and there are hosts on the outside we want to reach. These remote hosts are statically NATed to inside addresses, and our inside interfaces are Dynamically NATed to an outside address, i.e.
static (outside, inside) 172.26.14.36 10.164.2.100 netmask 255.255.255.255
global (oustside) 15 172.26.14.15 netmask 255.255.255.255
nat (inside) 15 0.0.0.0 0.0.0.0
Can I define an IPSEC tunnel that terminates on the inside interface that carries traffic to/from an address on the same subnet as the interface?
The attached diagram may make this clearer.
Assuming this is possible I would think on the "local" PIX firewall I could create an acl to define the interesting traffic:
access-list newsite-vpn permit ip 10.75.34.0 255 255.255.0 host 10.164.2.100
and use it for VPN.
on the "remote" firewall, would the access-list look like:
access-list newsite-vpn permit ip host 10.164.2.100 10.75.34.0 255.255.255.0?
I'm just not clear on where in the "flow" the IPSEC tunnel handling is. I'm assuming it's between the interface and any NATing and access rules.