We have a strange problem with vpn-clients connecting to a Bordermanager
3.8Sp4-VPN-server (Netware 6.5Sp3).
The Bordermanager-server is behind a Cisco PIX-firewall. The Cisco PIX
uses NAT to connect the Bordermanager-server to the internet.
We used TID10095471 (On the public interface, statically NAT the private
IP to the private IP).

When the VPN-clients are behind a firewall with NAT configured (at home)
the clients get a connection and can ping the hosts on our inside-network
(and can reach the services they want).
When the VPN-clients use an IP-address of their provider (we tried several
providers), so they are directly connected to the internet, they get a
connection and an IP-address out of the IP-pool of the
Bordermanager-VPN-server, but they cannot reach and ping any service on
our network (the VPN-server cannot be pinged either).
In the "transfer statistics"-window we only see "Ip encrypted packets"
being sent, but nothing received.

What are we doing wrong?