Network Extension Mode (NEM) specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses that are fully routable and reachable by the destination network over the tunneled network so that they form one logical network. PAT is not used, which allows the client PCs and hosts to have direct access to the PCs and hosts at the destination network. In NEM mode, the Cisco VPN hardware client obtains a private IP address from a local DHCP server or is configured with a static IP address.
Figure 8 illustrates the network extension mode of operation. In this example, the security appliance acts as a Cisco VPN hardware client, connecting to a remote IPsec VPN server. The hosts attached to the security appliance have IP addresses in the 10.0.0.0 private network space. The server does not assign an IP address to the security appliance, and the security appliance does not perform NAT or PAT translation over the VPN tunnel. When accessing the remote network 192.168.100.x, the hosts 10.0.0.3 and 10.0.04 will not be translated, and the hosts in the remote network 192.168.100.x can access the hosts 10.0.0.3 and 10.0.04 directly.
The client hosts are given IP addresses that are fully routable by the destination network over the VPN tunnel. These IP addresses could be either in the same subnet space as the destination network or in separate subnets, assuming that the destination routers are configured to properly route those IP addresses over the VPN tunnel.
Figure 8-6 IPsec VPN Network Extension Connection