I come back with my NAT story...
I have a problem.
Please watch the diagram attached.
My site (green) is connected to my customer (violet) thru a VPN IPsec.
My Encryption Domain is my public range (184.108.40.206/28) and the remote Encryption Domain is 220.127.116.11/24.
My Peer is 18.104.22.168 and the remote peer is 22.214.171.124.
VPN are mounted between a CheckPoint and an ASA Cisco 5555.
The CheckPoint is carrying the virtual IP (126.96.36.199) for the NAT of SRV001 with an ARP Proxy.
My customer thru the VPN has to communicate with SRV001 via the NATed IP 188.8.131.52.
Then the check has to NAT it to 192.168.1.100.
On the other sense, SRV001 has to communicate with SRV_CUSTOMERS (184.108.40.206, 220.127.116.11)
When SRV001 initiate the communication, the CheckPoint has to NAT is IP from 192.168.1.100 to 18.104.22.168 and then to send it thru the VPN.
On the other case SRV001 no need to be NATed for corporate communication.
Right now, my VPN Tunnel is UP.
When I am pinging the 22.214.171.124 or 126.96.36.199 with the CheckPoint it's working going thru the VPN Tunnel.
When I am pinging the 188.8.131.52 or 184.108.40.206 from SRV001, I saw with TCPDUMP that the firwall on the customer interface make the NAT and replace the 192.168.1.100 with the 220.127.116.11 but the trafic is not going thru the VPN.
How to force to send the NATed packet thru the VPN?
Support NAT-Traversal is enabled.
I saw the option in the VPN Communities the option "Disable NAT inside the VPN communitie", what is it doing?