I have to replace a VPN3000 platform, which is using a global ip address to terminate multiple IPsec tunnels to remote Internet stations using Cisco VPN clients, with a new ASA5500 IPsec VPN.
The problem is that as part of this upgrade, the new ASA5500 must be assigned with private ip addresses (RFC1918), which means that there will be a device doing NAT somewhere in between.
According with the documentation, to establish IPSec peers through the NAT device is possible by enabling NAT-T in the ASA. Am I right ? Should I observe any additional precaution ?