Hi

Yes the site to site connects to us internally

however we have third party who also requires access to this device from the internet hence the static translation

Hello Carl

As you have stated you already have created the static translation- correct?

What is the need for another one - I must be missing something apologies!

res

Paul

Basically, it works when coming from the internet, but if I try to access the inside up over a VPN tunnel, it does not work, it's almost like the return traffic is getting natted

any ideas? 

Hello

are you trying via the external ip or internal 

also what's your dns - do you have A records

Relating to the internal and external  addressing ?

res

paul

ok

basically we need to access a device on the LAN behind the router, from both the internet using a static 1 to 1 NAT as below

ip nat inside source static tcp 172.16.1.1 30000 interface Dialer1 30000

This router also has a VPN to our HQ using a crypto map,

we need to be able to access the 172.16.1.1 address over the vpn also, but it fails.

If we take the ip nat static translation off, it works fine over the vpn.

how would we fix this so we can connect using both ways ?

I have already answered your question above.

See the link I provided.

Jon

Hello,

Are you using GRE tunnel for VPN or you are using crypto map on the dialer interface?

If your are using Tunnel interface, you do not need to be concern about NAT because you do not have IP NAT outside on the interface(probably), but if you use crypto map, you need to do translation based on policy. It can be done by route-map. Please explain more about your configuration.

Masoud

All sorted, thankyou, used a route map with the deny statement.

worked a treat

mant thanks for your help