I have a vendor that needs to connect to my server.
He already routes my interal subnet so I need to do policy-nat.
If my server were initiating the tunnel I would have this:
access-list Local-2-Vendor permit ip host MyServerLocal VendorNetwork 255.255.255.0
access-list Global-2-Vendor permit ip host MyServerGlobal VendorNetwork 255.255.255.0
static (inside,outside) MyServerGlobal access-list Local-2-Vendor
crypto map outside_map 1 match address Global-2-Vendor
crypto map outside_map 1 set peer XX.25.26.27
crypto map outside_map 1 set transform-set ESP-3DES-SHA
tunnel-group XX.25.26.27 type ipsec-l2l
tunnel-group XX.25.26.27 ipsec-attributes
The above works fine, but it does not allow hosts on the VendorNetwork to initiate the tunnel.
What do I need to change so that the VendorNetork can bring up the tunnel??