I about have my vpn set up exactly like I need it. Users can connect to the vpn, and get a 172.16.17.0/24 ip address. These users can then access machines hidden behind the asa on the private 172.16.16.1/24 interface. Users on the 172.16.16.1 interface can also access any machine not on the private interface through the router using nat. What I cannot figure out how to do is to allow the vpn users to also access any machine not on the private interface through NAT on the router as well. Help would be appreciated.
ciscoasa# show route
Gateway of last resort is a.b.c.1 to network 0.0.0.0
C 172.16.16.0 255.255.254.0 is directly connected, igbprivate
S 172.16.17.20 255.255.255.255 [1/0] via a.b.c.189, igbpublic
C a.b.c.0 255.255.252.0 is directly connected, igbpublic
C 192.168.1.0 255.255.255.0 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via ak.b.c.124.1, igbpublic
access-list 101 line 1 extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0
nat statements in running-config
global (igbpublic) 1 interface
nat (igbprivate) 0 access-list 101
nat (igbprivate) 1 0.0.0.0 0.0.0.0
If your VPN users are connecting to the Public side of the ASA then I still think that Hairpining is what you should look into. It is very similar to my issue in which I want VPN users to access the internet through the VPN. The packets from the VPN users have to come in the Public interface and go directly back out. Hopefully I am understanding this correctly.