I will not be able to change the IP address at any site because they are separate clients, and are in full production.

Rajeev

I agree that it will be helpful to know what kind of devices you are working with. Some of the alternatives would depend on which platform you are using.

I assume that the addresses you have given are the inside addresses of the remotes. What are the outside addresses? Are the remote sites doing any address translation? It seems to me that if site 1 and site 3 are using the same addressing scheme for their inside networks, that your solution will be to do some kind of address translation for one of the sites as it enters the central network.

The alternatives for preventing one remote site from communicating with another remote site will depend on what platform is being used for VPN.

HTH

Rick

All the clients have real IP address on the outside interfaces... they are doing some NAT on web servers.

Thanks for all the help...

Rajeev

So long as each client has a unique (real) IP address on the outside interface then setting up IPSec can be done without much difficulty. You peer to the unique IP address.

What will make implementing this difficult is a routing issue. If you have a packet with destination address 10.1.1.4 which VPN tunnel should it go through? I do not know of a way to solve this other than through some Network Address translation. I think that the optimum solution would be to get one of the clients to translate addresses on traffic that they send to you.

HTH

Rick

Site 1 and 3 has a PIX 515E 6.3

Site 2 has a Cisco 871 12...

In my office I have a PIX 515E 6.3

You really will have to seriously consider assisting one site in changing their network's address ranges.

Until that occurs you could use some sort of 1-1 NAT strategy on one of the sites, but you'll have to setup maps for EACH and EVERY machine, and you'll have to do them all statically, if you want to be able to reliably get to certain machines--no using a pool of 255 addresses mapping to the network segment.

I'd implement this on one site, and look at migrating them over. If they're using DHCP it's not super difficult, just set up the new range one night, and switch it over. In the morning they all change. Then you can take care of any servers. Of course if they have any programs, or scripts with IPs defined rather than DNS names, it might be a bit more work, but really an unavoidable result of tying disparate networks together.

you can install another router on site1 or site3 to do another nat.

e.g.

from site1 lan <--> pix515e <--> vpn/www <--> your office

to site1 lan <--> router <--> pix515e <--> vpn/www <--> your office

the router can nat the original 10.1.1.x to 10.1.2.x, so from your office point of view, the remote peer net is 10.1.2.x not 10.1.1.x. also you don't have to change the site1 net scheme.