Traffic being encrypted is BASED on the routing table, so anything that points to Tunnel0 is going to be encrypted.
In order to force specific traffic (e.g. SMTP), you may have to configure Policy-Based Routing (PBR) i.e. configure class-map to match specific traffic and set the next-hop to Tunnel0. For all other traffic set the next-hop to WAN interface. That way, you will only force selected traffic to Tunnel0.
Note: I haven't tried this scenario myself, but interesting Qs... pls try PBR and let us know if it works for you.
it is nice to catch you on the net. With all the respect to you personally and your knowledge, I guess the sequence in the PBR is the other way around of what you suggested, since the default is to send the encrypted traffic to the tunnel based on its subnet/routing table, then the 1st sequence in the PBR is to match against SMTP and set its interface to the physical interface and the next PBR sequence wouldn't have a match. This way all unmatched traffic earlier will go through the tunnel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...