Same remote subnets on 2 different WAN IPs?

[bcraig]

Hello!

I have a weird problem. I have 2 sonicwall firewalls that I am trying to make VPN connections to a cisco PIX 520 (version 6.31) firewall. Each sonicwall has it's own separate network of computers behind it. The two networks are are not connected in any way to each other. Each Sonicwall 1 and 2 have the EXACT same configs, SAs, local subnets, everything. The only difference is that the WAN IP of each firewall is different (2 different ISPs). Firewall 1 will connect perfectly fine to the PIX, and pass traffic through to my 192.168.1.0 network no problems. I try and get my second firewall to also negotiate a VPN tunnel to the PIX, and phase 1 completes, but I get:

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

If I change my local network on sonicwall 2 side to say 192.168.11.0, it works perfectly.

However, it seems that the PIX is having problems dealing with the same remote network on 2 different policies. Is this possible? The PIX is dealing with 2 different networks
completely, on 2 different WAN IPs, however the local network of those 2 networks are the same. Would this cause problems? And does anyone know of a way to work around this?

Thanks for your help!

 

[lgarner]

Check out "outside nat". It's the opposite of "normal" nat in that it translates public addresses to addresses of your choosing. One of its purposes is to allow two networks to merge when they're using overlapping IP ranges, so I think it would work here.

 

[bcraig]

Hmmm, I don't think I quite understand what you mean?