[czech12]

Like Lackie and Simon said, you shouldn't need to NAT anything going through a Site to Site VPN (unless you are using the same private subnets on both sides). The IKE/IPSEC traffic is initiated from your Firewall to their Nortel device and vice versa, not from your internal hosts. Once the firewalls exchange keys and the tunnel is created, the packets with the private address range IP's are encapsulated by the firewall and routed across the internet using the firewall's public IP address.

I would recommend looking in SmartView tracker to make sure you aren't getting any encryption error. It sounds to me (and I think Lackie and Simon) like you are just allowing the traffic from your internal host to the Nortel side unencrypted, because you are using Static NAT...

Hope this helps... Let us know...