VPN doesn’t have the ability to create a virtual VPN interface so that VPN traffic can be filtered and NAT’ed…
Any particular reason why?
I find that having a virtual interface for the vpn just makes configuration much more intuitive and straightforward. For example, I needed to set up a static 1 to 1 destination nat rule so that packets arriving via our site-to-site vpn tunnel would be redirected to another ip (sounds odd, but it was my only option in that situation). I wasn’t able to figure out how to do it in the ASA, and neither could our Cisco rep. The whole process was just much more complicated than it should be IMO.
On the other hand, I was able to intuitively make the necessary configuration no problem in a Palo alto firewall even though I have much more experience with the ASA than the PA. I also know that this is a piece of cake to do with Linux iptables.