It helps but the problem is this article looks to be for all traffic. What I need to do is on the remote network is more like split tunnel. I need to NAT traffic slated for a particular service to go down the VPN tunnel and NAT to a particular IP pool. But I also need it to use the Internet NAT pool for all other applications. Likewise for the HQ office. Because of overlapping networks.

So if I have a client in the remote office with an IP of 10.10.1.1

They want to access a service that is on the VPN tunnel they get NATed to a 172.x.x.x address. On the HQ end I would route anything for 172.x.x.x to the VPN so that the service at HQ would know how to get back to the remote office. Possible?

Did you figure out your problem? I have same issue. Cisco VPN concentrators handle this kind of situations with 4-5 clicks. I really miss the VPN Concentrator for its capability of letting you apply NAT or Traffic policy per IPSEC session. On PIX, IOS or ASA, all NAT seems to be global not per specific to ipsec session.

I also have issue with the same situation.

pix1:

access-list nonat permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside x.x.x.x 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

sysopt connection permit-ipsec

static (outside,inside) 10.2.2.0 192.168.1.0 netmask 255.255.255.0 0 0

static (inside,outside) 10.1.1.0 192.168.1.0 netmask 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address nonat

crypto map vpnmap 10 set peer y.y.y.y

crypto map vpnmap 10 set transform-set vpnset

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address y.y.y.y netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

pix2:

access-list nonat permit ip 10.2.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside y.y.y.y 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

static (outside,inside) 10.1.1.0 192.168.1.0 netmask 255.255.255.0 0 0

static (inside,outside) 10.2.2.0 192.168.1.0 netmask 255.255.255.0 0 0

route outside 0.0.0.0 0.0.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address nonat

crypto map vpnmap 10 set peer x.x.x.x

crypto map vpnmap 10 set transform-set vpnset

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

But ipsec tunnel can not setup.Debug information show me error message "proxy identities not supported".The cisco document told me that this message appears in debugs if the access list for IPsec traffic does not match.

what can i do next?

Thanks a lot

I belive that the static translations on pix 2 are not needed. Try it. In translations like this the source and destinations will be teoreticly ok but this will be out of sesion packets.

Wen pix 1 translate outbound packet the pasket will have source 10.1.1.x and destination 192.168.1.x the pix 2 get that and send it to host. Host answer to destination 10.1.1.x and from his source 192.168.1.x and when pix 2 make translation on this packet the packet will have destination 192.168.1.x and source 10.2.2.x and the pix 1 waiting on packet from the source 192.168.1.0 and to destination 10.1.1.0.