I am (was) trying to design a VPN solution where I would assign VPN addresses to VIA clients from 3 different pools based on user roles, then use our existing firewalls to manage traffic based on those IPs. The idea was something like this: (Of course these are fake addresses, but it is still all public IP space.)
External (edge router) connection 1.1.1.1/30
LAN connection 2.2.2.1/30
Default route 1.1.1.2
Internal networks learned via OSPF.
VPN pools 3.3.3.0, 4.4.4.0, 5.5.5.0
Static routes back to these pools in core.
After much head scratching and an assist from TAC, the only way we could get even one pool to pass traffic was to use NAT. Not just any NAT either, but a single IP NAT pool that translates everything to the outgoing interface address.
Now, I can see how to set things up so that each role goes to a different interface/NAT address. But I cannot for the life of me understand why there is an option to have multiple VPN address pools if the clients have to be translated anyway. Am I missing something? Better yet, does anyone here know something TAC didn't?