Hello All!

I have a router acting as VPN gateway on my end and I need to implement NAT translations on my IPSEC tunnel as follows:

1. I need to translate incoming IP address of the remote end of IPSec tunnel to some other IP address on our end

2. I need to translate outgoin IP address of our end of IPSec tunnel to a different IP address

I have impemented following configuration, but for some reason it is not working, I get packets decrypted on my end, but dont have packets encrypted to send to the other end.

Here is the configuration

Remote end  crypto interesting ACL:

ip access-list extended crypto-interesting-remote

permit ip host 192.168.1.10 host 10.0.0.10

My end configuration:

interface GigabitEthernet0/0

ip address xxx.xxx.xxx.xxb yyy.yyy.yyy.yyy

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map VPN

ip access-list extended crypto-interesting-local

permit ip host 10.0.0.10 host 192.168.1.10

interface GigabitEthernet0/3

ip address 172.16.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

speed auto

ip nat inside source static 172.16.0.20 10.0.0.10   (to translate loca IP address to the one on the crypto-interesting list - exposed to the remote peer - it works)

ip nat outside source static 192.168.1.10 192.168.168.10 (to translate remote IP address to some other IP address on our end - not working - I get packets decrypted, but no packets encrypted)

ip route 192.168.168.10 255.255.255.255 gigabitethernet 0/0

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxa

All the routes are set, crypto ipsec tunnel is up and working and I am wondering if this is possible to achieve two-way NAT translation ?

Any response highly appreciated!

Thanks!