It would help if we knew what software version you're running, and even what product you're using :-)
Anyway, I'll assume a PIX. If you're running 6.3 then you can use the command "fixup protocol esp-ike" to enable ONE internal VPN session to use the PAT'd address on th eoutside interface (you don't need to define a static in other words). There is no good way to do this for several internal users though.
If you're running v7.x then unfortunately there's no way to do it as they removed the "esp-ike" fixup, although I have heard that it's coming back in shortly. Again though it'll only probbaly support ONE internal VPN user.
The best way around this is to enable NAT-T (IPSec encapsulation) between the VPN clients and VPN concentrator. Every VPN product will have this functionality nowadays, where the IPSec packets are encapsulated within TCP or UDP packets so that they can be correctly PAT'd by any device. If you can enable this on the VPN ends, then you won't need to make any changes on your firewall, AND it will support several internal users.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...