unfortunately that diden´t work. Maybe it´s because the adress 172.18.18.0 in the command (static (inside,outside) 172.18.18.0 access-list test) is the global adress and not the local ???.

Hi,

It's the global address itself that has to be mentioned there.

Did you clear the xlate after configuring this?

Regards,

Shijo George.

I can see the translation in log viewer (Built static translaton from inside: 192.168.117.100 to outside(test): 172.18.18.100) but the packet are not going in to the vpn tunnel any more, to destination 192.0.0.0. Here is the configuration Pix 501.

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any echo-reply

access-list test permit ip 192.168.117.0 255.255.255.0 192.0.0.0 255.255.255.0

global (outside) 15 interface

nat (inside) 15 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 172.18.18.0 access-list test 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address test

crypto map outside_map 20 set peer 192.168.223.2

crypto map outside_map 20 set transform-set ESP-DES-MD5

isakmp key ******** address 192.168.223.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

Regards

/Jonny

Hi Jonny,

Please keep the crypto access-list same as the one you were having earlier. You have to mention the NATTed IP segment in the crypto access-list

eg:

access-list crypto-acl permit ip 172.18.18.0 255.255.255.0 192.0.0.0 255.255.255.0

crypto map outside_map 20 match address crypto-acl

HTH

Regards,

Shijo George.

Thanks Shijo!

It is working now.

/Jonny