Hiding an address range
An internal address range may sometimes need to be masked, simply for security reasons or out of necessity when this address range is used on another network known by the remote site and with which you would like to communicate through the IPsec tunnel.
The configuration is similar to the one in the previous example, except for the fact that only one of the networks needs to be masked from the other.
In this example, Net-A-Real located behind Firewall A will appear as Net-A-Virt to site B.