SSL VPN - How does Tunnel Mode work? (using something like Cisco AnyConnect)

Hi All,

Can someone verify if the steps below reflect what goes on at the Remote Employee and Remote Corporate Network when packets are being sent back and forth using SSL VPN?

Packets Travelling from Remote Employee to Remote Network:

1. At the remote employee's Computer, the SSL VPN Client installs a Virtual Network Interface Card. This vNIC is tied to the SSL VPN Client (e.g. Cisco AnyConnect) and monitors traffic generated by the remote employee
2. When the SSL VPN session was initially established, the ASA (SSL VPN Termination) at the corporate site will assign an internal IP address to the remote employee. For the duration of the SSL VPN session, the client has an IP address within the corporate network. This IP address is also attached to the vNIC at the Client's PC
3. Traffic that needs to reach internal resources at a organization's remote site will be directed to the vNIC
4. At the vNIC, the packets is formed.
5. In the IP Header, the Source IP address is the remote corporate network IP address that was given to the Remote Employee's computer by the ASA. The Destination IP address is the internal resource on the remote corporate network that the packet must reach
6. The packet is now encapsulated. A secondary IP Header and UDP/TCP Header is attached (To route the packet from the Client's Computer -> WAN -> VPN Endpoint)
7. The Packet now travels (encrypted) across the SSL tunnel to the VPN Endpoint
8. At the VPN Endpoint, the new header is removed and the original IP packet is decapsulated. This reveals the internal resource that the packet must be routed to. Furthermore, it also reveals the source IP address (the Remote Employee's assigned internal IP address)
9. The packet is sent to the internal resource

Packets Travelling back from Remote Corporate Network to Remote Employee Workstation:

1. A packet generated at an internal resource on the remote corporate network. In the IP Header, the Source IP address for this packet is the IP address of the originating internal resource (on the remote corporate network). The Destination IP address on the other hand is the remote internal IP address assigned (at the VPN Endpoint) to the Remote Employee's workstation
2. The Packet will reach the ASA, where it will identify that the destination IP address is assigned to the remote employee accessing the corporate network
3. The ASA will encapsulate the packet and a new IP and TCP/UDP header is added. The new IP and TCP/UDP header contains the remote employee's gateway IP address + the appropriate port to reach the employee's computer (Port Address Translation)
4. The packet travels to the remote employee's network where the Router will use Port Address Translation and forward the traffic to the Remote Employee's workstation
5. At the Remote Employee's Workstation, the Packet is decapsulated (by the SSL VPN Client) and the original payload can be processed