that has answered my immediate question. Unfortunately traffic that should match the acl of the the DMZ nat 0 does not. That same acl is also used for an IPSec match-address statement but as the acl is not hit it is not encrypted and is merely pumped out the default gateway with a syslog msg:
%PIX-3-305005: No translation group found for tcp src DMZ:10.33.10.107/41440 dst inside:192.168.100.10/23
(Yes "inside" is the default gateway ... don't ask!)
I have a question in the VPN > General forum under the heading "Not hitting match-address ACL therefore routing out default" which goes into this in more detail. If you have any ideas it would be much appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...