HI Mathias!

Thanks for your quick response.

Well the private network are not same on both side, but can't say that on network should be scalable so do NAT will be better in that case.

Yes the interesting traffic ACL for ipsec tunnel matches the NATed source and destination not the real ones.

But not able to reach the private network.

Thank You

Four Pros IT

Hi,

You can do NAT but you have to exempt interesting  IPsec traffic from being natted and they must do the same on their side.

HI

I hate to ask but could i bother you for a short config example? I am afraid i m a little out of my league with this. Thank You

Four Pros IT

Hi,

I hate to ask but could i bother you for a short config example? I am afraid i m a little out of my league with this. Thank You

  no problem.

suppose you nat from inside to outside interface( PAT) -inside is 10.0.1.0/24(int f0/1) and outside interface is s1/0

you want to vpn from 10.0.1.0/24 to 192.168.1.0/24 for all ip traffic

here's config:

ip access-list extended 110 deny ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended 110 permit ip 10.0.1.0 0.0.0.255 any

route-map PAT permit 10

match ip address 110

ip inside nat source route-map  PAT interface s1/0 overload

on f0/1: nat inside

on s1/0: nat outside

ip access-list extended CRYPTO permit ip 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255  is your crypto ACL

their crypto ACL must mirror yours and on Pix to do nat exemption they must do nat(inside) 0 access-list NO_NAT  where NO_NAT is ACL permitting 192.168.1.0 to 10.0.1.0

Hi!

OK,

I got you up to PAT overload. That means port address translation but i think that the mentioned config is still not sufficient. I have included my cofig file if you wouldnt mind taking on look.

And you have applied an ACL -for crypto map the real ips, i am also confused on this section also. Hope i am not bothering with my issue.

Thank You

Four Pros IT

HI Mathias!

Thanks for your quick response.

Well the private network are not same on both side, but can't say that on network should be scalable so do NAT will be better in that case.

NAT my inside 192.168.0.0/24 network for Client to single IP  110.44.12.2. My Client his inside network 10.225.0.0/24 network for me to single IP 203.32.1.2 . In my side i have a Cisco IOS router and on my client side they have Cisco PIX.

Yes the interesting traffic ACL for ipsec tunnel matches the NATed source and destination not the real ones.

But not able to reach the private network.

Thank You

Four Pros IT

Have you verified the configuration on the other end? I know that sometimes you just have to trust that its been configured the way the other party is stating. But I always find it usefull to ask for the other partys matching configuration.

Hi!

As the other end says they had done as per the requirement and all are fine as from my end i can;t access that PIX due to security policy of remote end. I have here attached my configuration as that scenario define above. I request for your suggestion if i am wrong on my configuration. 

Thank You.

Four Pros IT

Hi!

I hope i am bothering you all, i have here attached the IPSEC log also. If any thing that i am missing on my configuration then this could be one easy for debuging.

Thank You

Four Pros It

Hi,

your tunnel went up and you have traffic going through but you should clear your tunnel and ask other side to do it also then ping dst LAN from src LAN

and do your sh crypto again.

Regards.