This guide works on PIX version 8.0(3) firmware. Untested on earlier versions


Your side: is your LAN internal subnet is your PIX outside address (VPN peer address)
Counterparty side: is their LAN internal subnet is their VPN peer address
VPN: is the subnet you need to NAT your LAN traffic into before your it enters the VPN tunnel

The PIX Config

#Define the "interesting" traffic for the VPN (what should be sent over the VPN)
#It is anything from to

access-list ACL_OUTSIDE_CRYPTOMAP extended permit ip

#Define the crypto map
#Modify these example details to the IKE/IPSEC details agreed with your counterparty

crypto map outside_map 1 match address ACL_OUTSIDE_CRYPTOMAP
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

#Define the Policy NAT for translating the source addresses of your LAN traffic for the VPN
#TO  : (VPN Peer's subnet)  

access-list VPN_POLICY_NAT extended permit ip

#Now define a static translate for any traffic that matches the VPN_POLICY_NAT rule
#Traffic from your LAN subnet will be NAT'd to the source addresses
#This happens before the traffic enters the VPN tunnel so your peer will see the source
#addresses they require and you can keep your existing LAN addressing scheme

static (inside,outside) access-list VPN_POLICY_NAT