So I am taking the SCAZT course on Cisco U. I have run through the "Secuirty Policies for Remote Access VPN" material several times now. They actually state at the end of that section "All the detail-specific secure firewall remote access VPN configurations are outside the scope of this course."
Here lies the problem, I am preparing for this exam and I keep running into questions (practice/etc) that are asking for detailed configuration troubleshooting regarding the Access Rules on the firewall.
My current specific question is when the answers include NAT/DHCP, I am making a huge assumption that is a distraction from Cisco intentionally to see if we understand that NAT on VPN clients to external resources is incorrect? As in, we would have to build a NAT Exemption even if there was NAT on the FTD ACL?
Am I way off?
My thought process after learning thus far: The firewall rule should ONLY reference the source being the Secure Client IP address and the Destination being the OUTSIDE zone (IP) of the FTD? Or is the correct Destination on the rule the IP address of the external resouce?
If it helps, imagine the "internal corporate resource" below being a cloud resource such as 'Salesforce' which is references in the course material as a configuration example. So what would the firewall rule be to allow the client to establish 80/443 connectivity to that resource?
