I have VPN connection from my place to Netscreen firewall at the client's end with the following setup - sent by Netscreen system administrator:
''My tunnel endpoint address: 184.108.40.206
Your tunnel endpoint address: 220.127.116.11
Your encryption domain (the addresses routed into that tunnel): Host 18.104.22.168 (defined as host, NOT as /32 network)
My encryption domain (the addresses behind my tunnel endpoint): 22.214.171.124/27
Destination: 126.96.36.199 (translated to internal private address 10.236.90.131)
Services: ICMP Echo request, TCP 22 (ssh), TCP 7114)
Because we use private addresses in the range 10/8 for internal use, and these addresses frequently are in conflict with the internally used network addresses of our partners, we usually offer an exclusive range of addresses, namely public addresses somewhere around 201.56.129.* as destination addresses at our end. These addresses are never used for other purpose than for NAT inside of VPN tunnels. In addition these addresses are also not overlapping with the networks, where the tunnel endpoint addresses itself reside.
For you that simply means, that your systems ALWAYS talk to 201.56.129.* addresses at my end. It is my responsibility to translate such addresses to the internal addresses of our systems behind.
On the other hand, whenever an internal system at your side talks to 188.8.131.52, you have to ensure, that the source address is replaced with 184.108.40.206, so that my system can properly route back the packets to my VPN firewall and into the proper VPN tunnel.
There is only one tricky point at your end: As the tunnel endpoint address is identical to the encrypted destination address, your device must properly handle this situation.
I have cisco 2801 at my side of VPN. From my router conf:
crypto map CRYPTO 20 ipsec-isakmp
set peer 220.127.116.11
set transform-set TELCOM
set pfs group2
match address 102
access list consist of only one command:
access-list 102 permit ip host 62.10068.171 18.104.22.168 0.0.0.63 (crypto map acl list)
Public address of my communication server is 22.214.171.124. The system works OK, and I have no problem but one: I do not want to have public address available from the internet. So I have to nat my server public address:
ip nat inside source static 192.168.100.24 126.96.36.199
where 192.168.100.24 is the server's private adddress. What was done is basically that It was included the above instruction in cisco setup. Certainly, I have deleted public address from the communication server and add its private address instread to its connection set up.
The problem is that my application program from my communication server does not work. My crypto map was not changed after my reading of nat order of operation.
My question is why my system does not work. Do I have to change anything at my crypto map?