Cisco says this won't do. Incoming and outgoing traffic is not possible on the same interface of the pix-firewall due to the firewall-policy.
But there is a trick. Adding a static and a route for the remote networks overrides that firewall behaviour. But doing this you should be aware of security issues. For security reason you should then have a router with access-list in front of the pix that denys all traffic to nets 10.... incoming from the internet.
This is the only way i know to run a pix in hub and spoke in vpns.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...