Static NAT and PAT

I need to have a customer network connected to my extranet.

I’m not in control of the customer network addressing. But need to configure a VPN connection.

I will supply the router that will also be the customer Firewall to the Internet (PAT).

(1) I need to be able to do PAT on traffic from internal hosts to the Internet.

(2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).

(3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).

******

The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.

******

Extranet is: 172.16.16.0/24

Internal net is: 192.168.1.0/24

..

..

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

..

interface FastEthernet4

ip address 1.1.1.1

ip nat outside

..

access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255

access-list 175 permit 192.168.1.0 0.0.0.255 any

access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255

ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host

ip nat inside source list 175 interface FastEthernet4 overload

ip nat inside source route-map HIDE pool FRO reversible

route-map HIDE permit 10

match ip address 176