From: c.draschl@conova.com   
      
   Simon wrote:   
      
   >> [...]   
   >>   
   >>   
   > I can't see a problem as each of the home users will have had their 192   
   > local addresses natted to the wan address of their router, it's this   
   > address the pix will see the tunnel request coming from, not the 192 one.   
   > Simon   
      
   in esp-tunnel mode (which you'll be using) the initiator proxy is a 192,   
   which the pix will see. esp takes the whole ip-packet, encrypts it and   
   adds a new header, which is modified by the pix's nat-mechanism.   
      
   why this _could_ work:   
      
   * host-routes are higher-weighted than network-routes   
   * inbound-nat on ipsec-packets   
   * nat-traversal   
      
   the solution to bypass this problem is to use ike-config. the pix gives   
   a dhcp-address to the ipsec-client, and _only_ to the ipsec-client.   
   doesn't provide dhcp to normal lan users. you have to modify the   
   access-lists to pass the virtual ip's. and the client has to be   
   configured to obtain a virtual ip-address.   
      
   \cd   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)