Thanks for replying Rick.
The situation has changed slightly and I'll post that config at the end of this, but let me give you some background at what I'm trying to accomplish.
My internal network is 192.168.100.0 /24. For all normal traffic exiting the firewall, we run PAT from one public IP address. In this case, we want to set up a VPN tunnel to a another network and perform NAT for those transmissions. For instance, my IP is 192.168.100.161. When I ping google, they see me as the PAT public IP (we'll say 79.79.159.43). When I ping one of the AllowedAddress (internal IPs to the network on the other side of the tunnel) on the other end of the tunnel, I want them to see 10.44.3.161. I've tried various configurations to accomplish this and I've had the NAT working, but at no point does the VPN tunnel try to initiate itself. We have two site-to-site VPNs setup. The one that isn't working is with peer 45.56.78.89. Here is my latest attempt, let me know what you think.
[As you can see the static command has been removed and replaced with a nat command]
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name 192.168.100.161 Phil
object-group network AddressesAllowed
description These are UL addresses that are allowed through the VPN firewall.
network-object 10.40.10.118 255.255.255.255
network-object 10.40.110.71 255.255.255.255
network-object 10.48.10.37 255.255.255.255
network-object 10.48.10.38 255.255.255.255
network-object 192.168.41.31 255.255.255.255
network-object 192.168.41.32 255.255.255.255
network-object 10.46.0.15 255.255.255.255
network-object 10.46.0.19 255.255.255.255
network-object 10.40.10.117 255.255.255.255
network-object 10.46.0.1 255.255.255.255
access-list inbound-acl permit icmp any any echo-reply
access-list inbound-acl permit icmp any any time-exceeded
access-list inbound-acl permit icmp any any unreachable
access-list inbound-acl deny ip any any
access-list inside_outbound_nat0_acl permit ip object-group trusted_hosts 46.57.44.19 255.255.255.192
access-list outside_cryptomap_20 permit ip object-group trusted_hosts 46.57.44.19 255.255.255.192
access-list polnat161 permit ip host Phil object-group AddressesAllowed
icmp permit any outside
ip address outside 79.79.159.43 255.255.255.224
ip address inside 192.168.100.1 255.255.255.0
global (outside) 1 interface
global (outside) 2 10.44.3.161
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 access-list polnat161 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound-acl in interface outside
route outside 0.0.0.0 0.0.0.0 209.252.79.1 1
http server enable
http 192.168.100.0 255.255.255.0 inside
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 43.119.78.59
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address polnat161
crypto map outside_map 40 set peer 45.56.78.89
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 21600 kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 43.119.78.59 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 45.56.78.89 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 3600
