We have a customer with 2 locations. Each location has a T1 circuit. Site A has an ip scheme of 192.168.1.x and site B has a scheme of 192.168.3.x. The T1 provider has a "VPN Solution" implemented where they route the local traffic for us over their backbone. Traffic from site A destined for 192.168.3.1 is sent to the provider's local router (at site B), and they send it to their router at the other location (site A) which in turn sends it to our router (at the same site). I can see the traffic get to the other side, but it stops at our routers. Even though traffic at site B arrives with at the public side with a destination address of 192.168.3.1, the router doesn't know what to do with it, even though I just want it to pass through to the private side (without translating). Disabling NAT allows each site to communicate with the other; however the customer loses internet connectivity. Enabling NAT gives them connectivity but they can't communicate between sites. Can anyone offer any advice regarding a solution?

I can see the traffic get to the other side, but it stops at our routers. Even though traffic at site B arrives with at the public side with a destination address of 192.168.3.1, the router doesn't know what to do with it, even though I just want it to pass through to the private side (without translating). This is indicative of a configuration issue with your router then. You have to find out why it's not sending the 192.168.3.x traffic to it's correct destination. Knowing the make/model of your router's and also the configurations would be helpful. Also, does the traffic going in the opposite direction get to it's destination ok? If yes, then do a line-by-line comparison of the config's on both routers. If not, then you have the same misconfiguration issue at both ends. It's also possible the issue is hardware but that's not very likely considering the internet does work for users at that site.

What VPN software are they using? Do both sites have a separate connection to the ISP? In other words, 2 separate external IP addresses?

What does your isp have to say about this issue? After all they are the ones providing the "vpn solution". Fact you can see inside the packets arrive at the other end means you DO NOT have a site to site vpn. You should not be able to see within the encrypted tunnel. Fact you can means that anyone can. Ever hear of man in the middle attack? Personally I would not allow an isp to do this for me. That puts them in a situation that can compromize your network security. Instead you can do this yourselve securely using something like Sonicwall. I have a site to site vpn connection by putting a sonicwall at each end. The far end allow both vpn and internet access whereas the end at the main center only allows the site to site vpn and remote client vpn access. Example of Oxymoron: Person who is pro life and anti sex education. Education is key to prevention. Prevent conception you prevent abortion. Abstinence training clearly isn't working.