You need to avoid NAT for the internal traffic destinated to the internal PIX address (IPsec session). For example, if your internal address is 1.1.1.0 and the PIX inside address is 172.16.1.0:
On your router: ip nat inside source route-map Deny-nat ... ! route-map Deny-nat permit 10 match ip address 101 ! access-list 101 deny 1.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 access-list 101 permit 1.1.1.0 0.0.0.255 any On the PIX you also need to deny the NAT for the ipsec traffic; something like: access-list Deny-nat permit ip 172.16.1.0 255.255.255.0 1.1.1.0 255.255.255.0 ! nat (inside) 0 access-list Deny-nat Regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65829&t=65782 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]