Does anyone know if you can do the following; LSbc'l@Y=  
I have a NS208, and it is setup on a Lan to Lan IKE VPN to a Sonicwall 230. -80rbSaZ +  
My issue is overlapping subnets. Both sites are using the same subnet. Changing the subnet, wouldn't be an option. /EnDB>|   
All the NATing will have to be done on the NS208 side. Sonicewall says, 230 can't do NATing in standard mode. y4qYrYFI~  
below is what I tried doing, any ideas, examples, etc.. would be greatly appreciated. u3@T4-D6^  
thank you in advance. $l{QM-m1p3  
nRg &V>WaQ  
PC - xxx.xxx.0.1 {M'/tx_  
NS208 - 1.1.1.1 =Xjj):,  
I've tried setting up the following: `j&u9@z_  
1. Created the lan to lan VPN. |Zr=fOjMYP  
2. created a tunnel.x with 10.10.10.0/24 )b }(YDgg  
  Created MIP 10.10.10.1 -> xxx.xxx.0.1 KS;FOO:  
3. tried to Bind a custom zone to tunnel.x and applied V/qDy'OV  
  to the IKE VPN (that didn't work) %<:ijO!^  
4. created policy trust to untrust XE_;"H  
  10.10.10.0/24 -> xxx.xxx.0.1   K+.T)y>mR  
to zf<RvP' o  
SW230 - 2.2.2.2 e%0E6D  
PC - xxx.xxx.0.1

I think policy based NAT can be used in this case

Juniper's FW can do IPsec VPN and NAT at the same time, but this requires you configure tunnel interface for IPsec VPN, and then create NAT IP pool in tunnel interface, and create such policy to use the pool. Then it should be OK.

This is actually very simple and I have done it few times already. BRc5{l  
4z@w[  
Here are the tricks: DJUt 5Y  
^d 'MmI  
- Assign a separate subnet (e.g, 10.254.x.0/24) to loopback interface (lo.1) on NS208 '{OTik#  
- Leave lo.1 in un-trusted zone .xk*v`
  
- Have MIP from lo.1 to e0 (trusted zone ??) r"C_chefL  
- Advertise lo.1 and tunnel interfaces (route-based VPN) via routing protocol (static, RIP, OSPF or BGP) to SonicWall and DO NOT advertise subnet of e0 via routing. =e3qj8cC<  
- Place tunnel interfaces (in case you have two separate un-trusted interfaces point to separate ISP) under loopback group of lo.1 t|KB@+  
- Build policy on NS208 so that: trusted to untrusted any any with nat, untrusted to trusted any / mip 2N_ .M]z  
- VPN monitor on pri and backup VPN (in cases you have separate VPNs over multiple un-trusted interfaces) .ip7Z~)  
=IT*We5P  
The other FW (SonicWall) is going to see NS208 via the loop-back IP addresses. However, ingress packets to NS208 will be MIP to the LAN subnet. The NS 208 will be NATted to the IP of the loop-back to the SonicWall on the egress direction. Uk~tk I  
Am$KQj&)Dv  
Happy computing!