This is a tricky question. Overlapping networks on R1 and R5—10.1.1.0/24—need to be encrypted.
IPSec access list cannot be configured for this. The solution is to create NAT on both ends and use the NATed address for IPSec ACL. See Example 4-26. On an ingress IPSec packet, NAT is performed first, followed by IPSec ACL.
See the following URL for more information about the order of operation:
NAT Order of Operation
Static NAT on PIX is already configured for R1 as 220.127.116.11. Use this on R5 for IPSec peering. Create ACL on PIX for ESP, UDP/500 (ISAKMP), and TCP/80 (for CA enrollment). See Example 4-27.
Configure IPSec ...