Your problem comes from the fact that both native and VPN traffic flows over the same NAT-enabled interface. So your NAT-statement matches also on the VPN-traffic. There are two solutions to solve that problem:
1) Migrate to VTIs. With these you have an IPSec-Interface where you don't need to enable NAT. For that, the other end also has to be an IOS-router. 2) Extend your NAT-statement with a route-map. In that route-map you specify an ACL that has deny-statements for the VPN-traffic and the traffic won't be NATted any more when flowing through the VPN.
Sent from Cisco Technical Support iPad App
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...