thanks for your reply

I thought that can be a problem, because the pix use its true ip (private ip) to encrypt, and the packet encrypted is modified in transit by nat device

Is it not a problem?

Pix1----R1-----Internet-----R2----Pix2

Pix1 has IP add 10.1.1.1, on R1 there's a nat rule like

ip nat inside source static 10.1.1.1 88.10.1.1

Pix2 has IP add 10.2.2.1, on R2 there's a nat rule like

ip nat inside source static 10.2.2.1 89.20.1.1

In the above scenario, lets say the LAN 1 Behind the Pix 1 is 192.168.1.0/24 and LAN 2 Behind the Pix 2 is 192.168.2.0/24. And you want to encrypt the traffic between LAN1 and LAN2 using Pix 1 and Pix 2.

Traffic Flow from Pix 1 to Pix 2

Now, the source and destination IP Address will be encrypted, that is 192.168.1.0/24 and 192.168.2.0/24 but the encrypted packet's source IP will be 10.1.1.1 and destination IP will be 89.20.1.1. When this packet hits R1, the router will translate the source IP of the packet to 88.10.1.1.

Traffic Flow from Pix 2 to Pix 1

Now, the source and destination IP Address will be encrypted, that is 192.168.2.0/24 and 192.168.1.0/24 but the encrypted packet's source IP will be 10.2.2.1 and destination IP will be 88.10.1.1. When this packet hits R2, the router will translate the source IP of the packet to 89.20.1.1.

So, I dont see an issue with this configuration.

Regards,

Arul

** Please rate helpful posts **

make sure nat-t is enabled.

crypto isakmp nat-traversal

also, allow udp/4500 to each pix from the other pix'es public IP.