Sascha,
if they are unable to use NAT, you can NAT their overlapping ip adress by
yourself in your side of the tunnel...
--
Paolo Riviello
If men could get pregnant, abortion would be a sacrament. -H-
From: Sascha Picchiantano <sascha AT PICCHIANTANO DOT DE>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] VPN between R55 and Cisco PIX
Date: Fri, 13 Apr 2007 09:30:28 +0200
Hi there,
we (R55) are in the process of setting up a site-to-site VPN with a Cisco
PIX. The far end is not managed by us. Problem: Internal address range
overlay - they already use some of the 10.x.x.x addresses that we use.
Usually I solve this by just natting and I told them to source NAT our
addresses to whatever he can deal with.
The other guy claims that this will not work because or encryption domain
does not include his NAT addresses and thus our gateway will keep sending
him IKE messages that we want to connect with 10.x.x.x (or build the
tunnel with 10.x). As a result, the tunnel would not even come up because
his end is not expecting 10.x but his NAT addresses. No payload packets
would flow into his end and he would never be able to NAT anything.
I remember doing the same thing on my end without problems, e.g. I natted
someone elses addresses to my liking and the tunnels would still come up.
I am not as much of an expert that I could exactly tell what hapens in
phase1 and phase2 to rule out what he claims, but I think he is wrong?
If anyone could shed some light on this for me I'd greatly appreciate it.
Thanks :)
Sascha
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
_________________________________________________________________
C'è una nuova amica su Messenger? E' Doretta! http://www.doretta82.it
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
