I have a sitution where I need to connect two PIX firewalls over a vpn and as part of a migration, the problem I have is that I cannot change a cubnet on either of the sites so need to be able to complete this with network overloading.

Documentation to do this is limited and the one document I did find drops my access to the internet if I follow it.

The setup is (I have two servers talking to one on the other end:

192.168.0.0/24 -PIX1- -Internet- -PIX2- -192,168.0.0/24

I have a nat for the internt and a global statement for the nat using the interface for internet access, this is a blank setup so there is no tricky access-list or static commands.

My config is listed below

interface ethernet0 100full

interface ethernet1 10full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list nat_out permit ip 192.168.0.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list vpn_burley.net permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

ip address outside 211.x.x.2 255.255.255.192

ip address inside 192.168.0.4 255.255.255.0

global (outside) 1 x.x.111.5

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 172.16.2.0 access-list nat_out 0 0

route outside 0.0.0.0 x.x.x.x.111.111.1 1

route outside 172.16.x.x.255.255.0 211.111.111.1 1

sysopt connection permit-ipsec

crypto ipsec transform-set myset ah-sha-hmac esp-des

crypto ipsec transform-set esp-sha-hmac esp-des

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address vpn_burley.net

crypto map vpn 10 set peer 211.c.c.2

crypto map vpn 10 set transform-set myset

isakmp enable outside

isakmp key ******** address 211.c.c.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Please could someone help