yes, easy vpn supports NAT/PAT. ping from router may not work cause that traffic is not uing the tunnel. you will need to ping from a host connected to the 871. If you nat and easy vpn is configured correctly then it should all work.
I tried to ping from a client connected to the 871. it doesnt work. The only ping that will work is from the loopback interface that has the ip given to it from the 3000. This makes sense of course because the IP is on the same subnet as the LAN side of the 3000.
You said that easyvpn supports NAT, but do you have to explicitly configure it when in client mode or does easyvpn configure it for you?
your config looks fine. You might need to check the policy on the concentrator. Are you tunneling everything or are you doing split tunnelling. You can check the policy the 871 is receiving using "show crypto ipsec client ezvpn"
i did the show crypto ipsec client ezvpn and it doesnt show anything about a policy or anything. It shows what interfaces are inside/outside, current peer, current state = active, dns servers, tunnel name...
It saids nothing of a policy or whats be tunneled.
"show crypto ipsec client ezvpn" should show you what settings the 871 is receiving from the concentrator. If you are using split tunneling then the above command should show you what addresses will be tunneled e.g. following line might appear in output of above command
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...