NAT within a VPN tunnel

[kinnoinen]

Hi.

I having problems with NATs and VPN site-to-site tunnel. The setup is as follows:

Site A (our site): PIX 515E
-------------------------------
interface outside: 1.1.1.1
interface inside: 192.168.205.1/24
server A: 192.168.205.14 (no public address)
interface intf2: 192.168.209.1/24
server B: 192.168.209.10 (has public address of 1.1.1.2)

Site B (partner site)
------------------------
interface outside: 2.2.2.2
interface inside: 3.3.3.3/27

There is a working site-to-site VPN between the sites. Site B needs to access the servers at Site A, but they can't use the 192.168.205.14 and 192.168.209.10 addresses because they are using them elsewhere. We wanted the server A to use a NAT address 192.168.153.1/29. Afaik we have to use the 1.1.1.2 address for server B since the pix isn't allowing me to do a second NAT to the same private address.

So the tunnel should look something like:

3.3.3.3/27 -> 192.168.153.1 -> NAT -> 192.168.205.14
3.3.3.3/27 -> 1.1.1.2 -> NAT -> 192.168.209.10

And of course the other way around too. The current configuration has these lines:

access-list vpn permit ip host 1.1.1.2 3.3.3.3 255.255.255.224
access-list vpn permit ip 3.3.3.3 255.255.255.224 192.168.153.0 255.255.255.248
access-list vpn permit ip 3.3.3.3 255.255.255.224 host 1.1.1.2
ip address outside 1.1.1.1 255.255.255.128
ip address inside 192.168.205.1 255.255.255.0
ip address intf2 192.168.209.1 255.255.255.0
global (outside) 1 1.1.1.3
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.205.0 255.255.255.0 0 0
nat (intf2) 0 access-list no_nat
nat (intf2) 1 192.168.209.0 255.255.255.0 0 0
static (intf2,outside) 1.1.1.2 192.168.209.10 netmask 255.255.255.255 0 0
static (inside,intf2) 192.168.205.0 192.168.205.0 netmask 255.255.255.0 0 0

I tried many different configurations but couldn't get anything to work. I removed the lines that I tried earlier, so it's a "clean slate". Any help?