private net <--> pat router <--> nat firewall <--> www/vpn <--> cvpn
maybe it would be better if we put some ip into the scenario.
192.168.1.0 <--> pat router <--> 192.168.2.0 <--> nat firewall <--> www/vpn <--> cvpn <--> 192.168.0.0
1. a host with ip 192.168.1.100 attempts to access a server with ip 192.168.0.100.
2. pat router receives a packet originated from 192.168.1.100 and destined for 192.168.0.100.
3. pat router performs pat, i.e. translates the original source from 192.168.1.100 to the router outside interface 192.168.2.1 with port 2647 (i.e. a random port assigned by the pat router)
4. nat firewall receives the packet with source ip 192.168.2.1 and destined for 192.168.0.100.
5. nat firewall has no nat statement, such as "access-list no_nat permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0", thus no nat/pat will be performed.
6. nat firewall matches the packet with the crypto acl, encrypts/encaps the packet and forwards the packet down the lan-lan vpn.
7. the cvpn receives the packet, decaps/decrypts and forwards the packet to the server with ip 192.168.0.100.
8. server replies. nat firewall receives the packet, decaps/decrypts and forwards the packet to the pat router.
9. pat router receives the packet originated from 192.168.0.100 and destined for 192.168.2.1 with port 2647.
10. pat router verifies its translation table. it matches the existing translation, so the pat router translates the packet destination ip from 192.168.2.1 back to 192.168.1.100.
please excuse me for my so-called "interpretation" above. it may not be very clear, but i believe this scenario should work.
in fact, i have implemented a similar scenario and it works fine. below is the simiplified topology:
private net <--> pix (pat) <--> pix (pat/no_nat) <--> www/vpn <--> cvpn <--> private net