I am a self-taught yet reasonably experienced administrator of the software client-to-3005 concentrator VPN scenario. Some of the concepts, though, have me stuck when trying to apply things in the 3002-to-5510 environment: I have successfully configured the 5510 and a 3002 to connect to each other and establish a VPN tunnel. A software client would now have an overriding VPN tunnel private IP address assigned to the client machine it is running on, which will be used for all tunneled traffic. The 3002, however, actually has a private hardware interface that I thought I already need to configure with an applicable private IP address of the network it is residing on. Did the ASA now assign an additional private tunnel VPN address to this 3002? (It is configured like my old 3005 to use a local address pool for client DHCP assignments.) What good does this do for my client that sits (untunneled) on the private network behind the 3002? Do I have to add a static route to point traffic for the network behind the 5510 to the 3002? If so, to the physical private IP or to the assigned tunnel IP? What if that tunnel IP changes later due to DHCP? I'm sure this sounds funny to an expert but I am drawing a blank here as to how this is supposed to work. ;-) Enlighten me, please!
Answering your questions one by one :
There are no internally routable subnets behind the 3002 allowed, which basically requires me to physically put the private interface of the 3002 onto the subnet with the system(s) that need access to the VPN tunnel. Correct?
Yes, that's correct.
Q:Furthermore, one of my remote sites has two servers behind the 3002 that I must be able to specifcially address from the main site's network, so PAT won't work at all since that would represent all systems behind the 3002 with the same (3002 private) IP address to the central site, correct?
This is also correct, you need to use NEM.
3: How do the systems behind the 3002 "initiate" a tunnel connection (i.e., know where to find the 5510, get a tunnel IP address from the 5510, update their routing table for tunneled traffic)?
If we are talking EzVPN , the systems do not get an ip from ASA. Also, the systems do not update their routing table. Everything's done by 3002.