Hi .. I guess they are trying to make sure any communication to head office is fully protected from internal and external sources. Internal because the system where the VPN client is installed will encrypt and decrypt the traffic to/from the head office. No PC within the LAN will be able to read other PC's data using sniffer or some other tool because the data is encrypted.
From external because as with any vpn the data will be protected as it travels over the Internet.
The cisco VPN client supports NAT Transparency which is enabled by default. It can use udp 4500( default ) or tcp 10000 to encapsulate IPsec packet on layer 4 header. The PIX then would be able to perform a PAT to send those udp packets out. I have not done this myself but you could try allowing port UDP 4500 and 500 on your PIX ..
access-list Inside-Out extended permit udp any host x.x.x.x eq 4500
access-list Inside-Out extended permit udp any host x.x.x.x eq 500
nat (inside) 10 access-list Inside-Out
global (outside) 10 y.y.y.y
where: x.x.x.x is the IP address of the VPN end point at the head office which needs to have NAT traversal enabled. And y.y.y.y is the public address been used for PAT as the packets leave the remote office. It could be the outside interface of the firewall in whihc case you would use the 'interface' keyword.
This assumes that the firewall has a public address and the ADSL router is not blocking the above ports.
I suggest testing it on a lab if you can. i am interested to see the results.
Of course it will be so much easier to just create a LAN to LAN tunnel using the PIX as the head end.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...