We are in the process of migrating from 506e verion 6.3 to a 515e Version 7.0(5). We have everything up and running now except for one remote site which is on a 172.16.0.0 network and connects via ADSL to an ISP then to an IT company who say they running a site to site VPN to us. Convoluted I know (we inherrited it). Here is the old part of the VPN config.
The initiator will offer the highest priority proposal (in ISAKMP policy highest priority means lowest number fe. isakmp policy 10 has higher priority than isakmp policy 20) and the responder will search its locally configured ISAKMP policies for a match. If there are none, the initiator will propose the next highest ISAKMP policy. This process will continue until the initiator has no proposals left to offer the responder.
So you can have as many policies you want but at least one policy must match
Yes you need remove IPSec traffic from NAT process (because IPSEC doesnt cooperate with NAT well)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...