Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Configuring an IPSec Tunnel Between Router and PIX w/Duplicate LAN Subnets

Unanswered Question
Feb 8th, 2006
User Badges:

As in title,

I need to make a site to site vpn between an pix and a router with duplicated subnets.

Pix as inside have a and he manages already 2 site-to-site vpn, one with another pix (that have inside and the second one with another pix (that have inside Now i need to add another one vpn site to site with cisco ios (that have "inside"

Any sugestion, egsample or link?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mheusinger Wed, 02/08/2006 - 06:01
User Badges:
  • Green, 3000 points or more


what you need to do is to perform NAT before the IPSec tunnel and translate the second to some other network not yet used on the PIX, f.e. The NAT configuration on the router would look like this:

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 300


crypto isakmp key MyKey address


crypto ipsec transform-set myset esp-des esp-md5-hmac


crypto map mymap local-address Serial0/0

crypto map mymap 10 ipsec-isakmp

set peer

set security-association lifetime seconds 180

set transform-set myset

match address 110



interface Ethernet0/0

ip address

ip nat inside


interface Serial0/0

ip address

crypto map mymap

ip nat outside


ip nat pool NATforTunnel netmask

ip nat inside source list 110 pool NATforTunnel


access-list 110 remark NAT-list

access-list 110 permit ip

Extend the ACL 110 to your needs and adjust the IPSec stuff and IP addresses to your environment.

Hope this helps! Please rate all posts.

Regards, Martin

UNIKAPERUGIA Wed, 02/08/2006 - 07:33
User Badges:

Perfect, can you make me an eesample on the pix side?

Thanks ;)

Ranbeckycr_2 Tue, 05/24/2011 - 08:46
User Badges:


Thanks for this post, quick question, this example is to configure the router on my location, NOT the remote location right?


This Discussion