Problem with Netscreen VPN SOHO to CORP

Archived from groups: comp.dcom.vpn (More info?)

Hello,

I have a problem with my VPN access from a user that has a Netscreen
5xp for his SOHO that is connected to corporate via a Netscreen 100.
The tunnel is up and working but the access in only uni-directional
(he can reach our intranet but we cannot reach him). He is running a
10.10.10.x /24 network at his home office and we use a 172.16.24.x /22
at corporate. When he needs to access internal resources it goes out
his Netscreen 5xp and across the tunnel and hits the Netscreen 100 and
gets NAT'd to a NAT pool of 172.16.26.x /24; which he then traverses
our intranet via the NAT'd and routed IP. The problem here is that
even though we know what his NAT'd IP is (say 172.16.26.50), he can
access all systems but we cannot even ping his NAT'd IP address. This
is causing problem since some of our internal systems need to be able
to reach his machine. One way around this is if we route his
10.10.10.x network internally at corporate and then set his VPN tunnel
to bidirectional (Untrust to Trust, and Trust to Untrust) he traverses
the VPN tunnel and network without getting NAT'd and all works fine.
The problem is that we do not want to route all these SOHO users, we
want to have them NAT when they come in. Any ideas why when these
users are NAT'd that we cannot ping them or access their machines ?
We also use Cisco software VPN client which is setup in a similar
fashion where all remtoe users get NAT'd to a pool of internal IP's
(172.16.25.x /24) but we CAN ping their NAT'd IP ??? Very weird and
confusing. Any help or information would be appreciated.

Regards,

James