I'm having trouble setting up a specific scenario. I have several Cisco VPN 3000 series Concentrators connected to a Cisco 7204 via IPSec just fine. My problem occurs when the 3000 public IP is being NAT'd. For example:
+------+ +----+ +------+ | 3000 |------| FW |---------------| 7204 | +------+ +----+ +------+ Public IP: 10.10.10.1 Public IP: 164.6.6.1 NAT'd on FW to: 129.22.22.1 Private IP: 192.168.0.1 (not relevant) Private IP is NAT'd to: 172.31.1.17Based on the above, below is my non-working config on the 7204. It works fine if the 3000 isn't being NAT'd on the public interface. Any help would be GREATLY appreciated.
crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 15 encr 3des hash md5 authentication pre-share lifetime 28800 crypto isakmp key vpnkey address 129.22.22.1 crypto ipsec transform-set c3k-def esp-3des esp-sha-hmac crypto map to-cust 22221 ipsec-isakmp description to C3KMYVPN set peer 129.22.22.1 set transform-set c3k-def set pfs group1 match address C3KMYVPN ip access-list extended C3KMYVPN permit ip 129.38.2.192 0.0.0.63 host 172.31.1.17