I am in the process of configuring a tunnel between our company and an outside vendor. The outside vendor has our same address space in use on their network as well. We had this setup on our existing Nortel VPN equipment and it was working.

I have setup the tunnel as follows:

object-group network DM_INLINE_NETWORK_75

network-object host 172.x.x.129

network-object host 172.x.x.130

network-object host 172.x.x.131

network-object host 172.x.x.132

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_75 143.x.x.128 255.255.255.128

access-list inside_nat_static_1 extended permit ip host 10.x.x.136 143.x.x.128 255.255.255.128

access-list inside_nat_static_2 extended permit ip host 10.x.x.137 143.x.x.128 255.255.255.128

access-list inside_nat_static_3 extended permit ip host 10.x.x.138 143.x.x.128 255.255.255.128

access-list inside_nat_static_4 extended permit ip host 10.x.x.135 143.x.x.128 255.255.255.128

static (inside,inside) 172.x.x.129 access-list inside_nat_static_1

static (inside,inside) 172.x.x.131 access-list inside_nat_static_2

static (inside,inside) 172.x.x.132 access-list inside_nat_static_3

static (inside,inside) 172.x.x.130 access-list inside_nat_static_4

route inside 172.x.x.128 255.255.255.248 10.x.x.1 1

crypto map outside_map 2 set peer 207.x.x.110

crypto map outside_map 2 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

I was guessing that I needed a static policy NAT since I only want these devices to use this NAT if they are headed over this tunnel.

How far off base am I?