It's been "a while" since I've been near an ASA for VPN configuration purposes, indeed I think it was running 6.something and still called a Pix :-)
Anyhow, I (vaguely) remember it used to be the case that when you had an/some existing L2L ipsec VPN config and you wanted to change/add/whatever to it, planning in things like removing the crypto map from the outside interface first was A Good Idea if one wanted to avoid days of headscratching as to why a perfectly reasonable modification screwed the whole thing over - does that still apply, or is it all a bit more stable/forgiving nowadays?
If you have a scenario say, similar to "L2L with overlapping networks", is it possible to have a many-to-few policy NAT? For instance, instead of the example given in the config docs:
access-list policy-nat extended permit ip 172.18.1.0 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,outside) 172.18.1.0 access-list policy-nat
is it possible in any way to run your internal network of 192.168.1.0 into a smaller range?
If not everything in the internal network will be going via VPN, could something like
access-list policy-nat extended permit ip 172.18.1.0 255.255.255.240 192.168.1.0 255.255.255.0
Would that NAT...
...the first x addresses of the subnet, 1-to-1 (i.e. 192.168.1.1-14 > 172.18.1.1-14)
...the first addresses 'seen' to traverse the tunnel (which is what I'd like to happen) like maybe
192.168.1.212 -> 172.18.1.1
192.168.1.34 -> 172.18.1.2 etc... (and presumably tough luck if you're internal host #15)
or, as i suspect, is such a thing not even possible?
Circa 1994 :-)