We have one remote ipsec tunnel group, the clients' address pool use 172.18.33.0/24 which setup from "ip local pool" command. The remote cliens have to use full ipsec tunnel.
Due to ip overlap or route issue, we would like NAT this local pool from 172.18.33.0 to 192.168.3.0 subnet when vpn users access certain subnet or servers through ASA's outside interface. From what I understan the nat command mapping address from one interface to another interface. The vpn local pool doesn't behind any ASA physical interface. My question is can ASA setup policy NAT for vpn local pool. If yes, how to setup this NAT.
access-list NAT_VPNClients permit ip 172.18.33.0 255.255.255.0 10.1.1.0 255.255.255.0
static (outside,outside) 192.168.33.0 access-list NAT_VPNClients
The above configuration will NAT 172.18.33.0/24 to 192.168.33.0/24 when going to 10.1.1.0/24 (assuming 10.1.1.0/24 is your servers subnet).
To allow the ASA to redirect traffic backout the same interface in which it receive it you also need the command:
same-security-traffic permit intra-interface