I have one ASA with two inside networks, and two outside internet-capable interfaces.
The insides are InsideWebSurf, and InsideCritical.
The outside interfaces are OutsideToInternet and OutsideVPNonly.
The default route goes to OutsideToInternet.
Static routes go to OutsideVPNonly.
ACLs restrict InsideWebSurf to only go to OutsideToInternet.
InsideCritical can only launch VPNs on the OutsideVPNonly, so it can never websurf or do anything else but establis the VPNs.
So far, so good, that part works fine.
Now I want to allow Remote Access to VPN in through the OutsideVPNonly interface, and see the InsideCritical subnet. Also, it should be able to bent-pipe onto the other VPN, and reach the remote VPN sites that InsideCritical can see.
The problem is I have to create a static route to the Remote Access PC (which goes out the OutsideVPNonly interface).
When I do this, things work. But if the RemoteAccess PC roams to a new IP, I have to add another route statement.
Is there a way to Policy Nat my way out of this delima?