Just make sure that there is a nat exemption between ur vpn networks, routes for remote networks pointing to vpn gateway and no vpn filter configured in the group-policy. It would help if u had a gist of ur crypto config posted. And wat is the device on the other end?

Hi all

OK

outside ip is 200.4.250.10
local host  ip is  192.168.10.1/32
local host ip, after nat becomes 192.168.0.1/32

peer ip is 100.30.20.10

remote net 172.20.0.0/16

the ip of the local host  is 192.168.10.1 an it is natted to 192.168.0.1/32 if the traffic goes to 172.20.0.0

This is part of the configuration:

access-list outside_cryptomap_3 extended permit ip host 192.168.0.1  172.20.0.0 255.255.0.0

crypto isakmp policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 2 match address outside_cryptomap_3
crypto map outside_map 2 set connection-type originate-only
crypto map outside_map 2 set peer 100.30.20.10
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set nat-t-disable
crypto map outside_map interface outside

group-policy VPN_2 internal
group-policy VPN_2 attributes
vpn-filter none
vpn-tunnel-protocol IPSec svc

tunnel-group 100.30.20.10 type ipsec-l2l

tunnel-group 100.30.20.10 general-attributes

default-group-policy VPN_2

tunnel-group 100.30.20.10 ipsec-attributes

pre-shared-key ""

isakmp keepalive disable

Thanks in advance

there is another problem

the output of show crypto ipsec sa gives:

access-list OO_temp_outside_map2 permit ip host 200.4.250.10 host 100.30.20.10

local ident (addr/mask/prot/port): (200.4.250.10/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): 100.30.20.10/255.255.255.255/0/0)
      current_peer: 100.30.20.10

"OO_temp_outside_map2" This is not the acl I put in cryptp map my line states:

crypto map outside_map 2 match address outside_cryptomap_3

Again - provide the "no-nat" config i.e "nat inside 0"