You can accomplish what you want using IPsec plus NAT. Our routers support something we call VPN Virtual Host mode (it is not called that anywhere in the WebUI) specifically for this reason. Essentially this is NAT’ing an IPsec tunnel endpoint so that every remote site can have the same subnet as you have here. You create a “virtual interface”, say on VPN0, assign it a virtual IP address and then NAT through it. For example:
- Create a VPN tunnel on the Digi.
- Under Local Endpoint Type select Internal Interface (instead of a subnet)
- Under Local Endpoint enter the tunnel’s virtual host IP address. This is the IP address the VPN concentrator will see as its remote peer “network” instead the actual remote subnet. This address gets matched to the mobile IP address in the ASA’s policy.
- Finish the VPN tunnel setup to create the vpn0 interface.
- Go to IP Port Forwarding and create a port forwarding entry for Interface vpn0 and forward through whatever traffic you want.