Symptoms
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the host.
Same result trying to connect to ports involved in port forwarding.
Everything excluded by static NAT or port-forwarding was reachable instead.
Diagnosis
I noticed that the router performed nat on return traffic when I tried to reach hosts involved in static nat through vpn.
This was because i specified a no-nat rule, but it was applied only to the global nat rule, while static nat and port-forwarding had their own rules fixed static in nat table.
Solution
This is the configuration I used to fix this situation:
STATIC NAT IP <-> IP
!
ip access-list extended NAT
deny ip [local-network] [local-wildcard] [vpn-network] [vpn-wildcard]
permit ip [local-network] [local-wildcard] any
!
route-map NAT permit 10
match ip address NAT
!
ip nat inside source static [local-ip] [global-ip] route-map NAT
PORT-FORWARDING IP:PORT <-> IP:PORT
!
ip access-list extended nonat-vpn
deny tcp host [host-ip] eq [port] [vpn-network] [vpn-wildcard]
permit tcp host [host-ip] eq [port] any
!
route-map nonat-vpn permit 10
match ip address nonat-vpn
!
ip nat inside source static tcp [local-ip] [local-port] [global-ip] [global-port] route-map nonat-vpn extendable