access-list no_nat permit ip 192.168.72.0 255.255.255.0
access-list crypto permit ip 192.168.72.0 255.255.255.0
the crypto acl needs to include the remote pix outside interface. i.e.
access-list crypto permit ip 192.168.72.0 255.255.255.0 host
further, apply the same logic on the remote pix. i.e. to add its own public interface ip as part of the crypto acl.
the issue occurs because the pix itself doesn't consider as part of the vpn. so when the pix tries to connect to the tftp server, it fails. so by including the remote pix outside interface as part of the vpn, the issue should be resolved.
The following have worked well for me on IOS routers.
1. Enable FTP server on the router so that you can connect to it through the tunnel. You basically "push" the image instead of having the router pull it.
2. Use secure copy (scp) to pull the image from host running ssh. This works because you can issue the "ip ssh source-interface" command to force ssh to use a specified interface as the source. This means that the scp traffic will be NATed/tunneled/whatever according to your rules.
I realize that these are for router IOS upgrades, but they may point you in the right direction on the PIX. It's been a little bit since I touched PIX OS 6.3 and I honestly can't remember if the above capabilities existing in that version.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...