Yes, I do understand this. But at the same time I can specify protocol/port and destination address in this qualifying access list. For example:
permit tcp host 10.10.10.7 220.127.116.11 eq 22
If they making this possible, why don't allow to select ICMP packets for NAT? This seems as a wrong design to me.
I simplified my configuration to work out this problem, but in fact I have three interfaces and multiple GRE tunnels to the partners networks that the host 10.10.10.7 needs to have access to.
In case of creating an incoming access list (ip accss-group acl-name in) on fa0/0 I'll have to explicitly specify all the (partners) networks that this host can access and ICMP to any.
Is there another workaround?