I already posted in the NAP forums (http://social.technet.microsoft.com/Forums/en/winserverNAP/threads), but thought I'd try my luck here as well.
I'm running IPsec NAP on two indentically configured Windows 2008 R2 servers that are also standalone CAs for NAP.
I'm in the testing phases of a Windows 2012 RC DirectAccess server that is behind a NAT. When the computer establishes a DirectAccess connection it's unable to connect to any resource that are part of NAP (only non-NAP resources, exceptions are available). napstat reveals that the client is healthly (it also has the health certificate). I currently haven't checked the "Enforce corporate compliance for DirectAcces clients with NAP" I don't have a need to check client before they connect to the intranet tunnel.
Here's how the Connection Security Rules look on a client:
The first four were automatically generated by the DirectAccess server, the other four are for NAP purposes (before a DA test server was introduced).
What am I doing wrong, are additonal logs, information needed to better assist me.