Thanks to everyone that helped me with getting my SOHO 91 VPN IPSEC endpoint working with NAT. I had read probably 100 documents from people with similar problems with IPSEC and NAT with most of those threads ending with no solutions... I actually had tried half a dozen different solutions that should have worked but the thing that made it start working and passing traffic back to the client was to remove EVERYTHING to do with the VPN config, and then clear all crypto, sa, isakmp and nat translations before entering everything from scratch. Low and behold, the very first config I tried passed traffic both ways! So that's my advice, if you're having problems that shouldn't be happening, then just try removing at least all your crypto maps and everything else involved with the group and client policy and start from scratch. I had actually read that in several documents including a cisco VPN troubleshooting guide and didn't heed it until after a couple of weeks of frustration had passed...
Now, what I really need is help allowing internet access through the tunnel as theorized in this thread:
I want to have internet access through the tunnel to avoid split tunneling by using the technique of a loopback interface and route-map to nat the vpn traffic destined for outside the private network. My config is attached and I believe it's actually working but for one thing - the VPN client doesn't seem to be using the dns provided in the client's crypto group. I can ping and browse any internet IP addresses through the tunnel, and access any private address on the lan through the tunnel so I know my access lists and dummy loopback interface to nat the internet-destined traffic are doing their job, but nothing will resolve by domain name. Can anyone suggest why I'm not getting DNS responses back through the tunnel? It really seems like the domain protocol isn't passing - I've tried with my firewall both off and on with no difference.
My config is attached, I appreciate your time and help to get this 100% working...