The way I have set this up in the past and the way I have had the most success is this. I set my nonat and my match address to the same access-list (access-list 100). I would then apply the 110 access list to the inside interface.
It makes things much more simple to allow full IP over the tunnel, but only allow certian ports (ftp, www etc..) to even get to the tunnel from the inside interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...