I have a L2 tunnel that in addition to the public IP of the endpoint also has a /29 block routed over it.  The tunnel is set up as a LAN-LAN VPN with the "make default route" option ticked and "route" selected not "NAT".  The router is connected to the internet over WAN2 with a fixed IP behind another router to a different provider.   The /29 block is setup as the routed subnet LAN with the router assigned the .254 address on that block. 

The tunnel establishes absolutely fine and I can connect to services on the hosts on the /29 block. The problem is that connections to those hosts all appear to come from the router's .254 address not the actual source of the connection.

It looks like the router is doing address translation between the tunnel and the routed subnet.

I have other /29 blocks set up with routed subnet and those work fine but the difference is that the tunnel in those cases is over DSL not a VPN.

Anyone seen this and can offer advice on how to stop the translating behaviour?

Its a 2860 on FW 3.9.8.6.

Thanks.