I have a 2811s doing many VPNs to partners and clients. These routers are on my "VPN" network off a PIX 525. I use static routes on the PIX to get the traffic from my networks to the appropriate router and then down the VPN. This has been the setup for years here. It works well and is predictable.

All the VPNs are built using crypto maps. We use a combination of dynamic and static NATs (depending on connection direction) to a public address range we own specifically for these VPN NATs. Our partners and clients also use public address in the VPNs so we never have private range conflicts. We are using ip nat inside and ip nat outside on our inside and outside identified interfaces.

Recently, this model broke down. I knew this would eventually show its ugly head. We have a client that will access a machine behind our pix over the internet from a public source address (let's say 20.20.20.20). We also have a machine that needs to access this same address (20.20.20.20) over a VPN. As all the routing takes place on the PIX, if I route 20.20.20.20 to a VPN router, then the over-the-internet connections no longer work (their SYN packet comes over the internet, but my reply SYN-ACK routes to the VPN tunnel).

My solution is to use NAT. Instead of our opening connections to 20.20.20.20, we would open connections to a private address (let's say 10.0.0.20) that would route to the VPN router and it would then NAT it to 20.20.20.20 and send it down the tunnel. So I'd basically have two NATs happening on this router. One NAT from my source private to my source public and another NAT from my destination private (10.0.0.20) to their destination public (20.20.20.20).

Since I'm using ip nat inside on my inside interface and ip nat outside on my outside interface, is this possible? Should I use ip nat outside source static command?

Any help would be greatly appreciated.