Relevant Topology:

(Corporate LAN: 10.10.0.0/21) > (Catalyst 3560 L3 Switch: # ip routing) > (10.10.255.253/30) > (Cisco 1921: edge router) > ISP

One-to-One NAT statement in edge router:

#  ip nat inside source static <inside local ip> <inside global ip>

Packets destined for our branch offices across IPsec Site-to-Site VPNs, originating from the above inside local IP, change their source address (at the edge router) to the above inside global IP, forwarding traffic destined to branch to our ISPs gateway, instead of over the VPN tunnel.

After establishing a remote IPsec VPN connection, via Cisco VPN Client, I am able to ping the inside local IP specified above with no issues (the router sends the traffic sourced from the above inside local IP before applying the One-to-One NAT statement).

Relevant configuration:

Remote VPN ACL:

ip access-list extended REMOTE_VPN_ACL

permit ip <ip local pool subnet> 0.0.0.255 any

permit ip 10.10.0.0 0.0.7.255 any

Site-to-Site VPN ACL:

ip access-list extended SITE-TO-SITE_VPN_ACL

permit ip 10.10.0.0 0.0.7.255 10.10.12.0 0.0.0.255

permit ip 10.10.12.0 0.0.0.255 10.10.0.0 0.0.7.255

PAT:

ip nat inside source route-map INTERNET_BOUND_RMAP interface GigabitEthernet0/1 overload

Route Map:

route-map INTERNET_BOUND_RMAP permit 10

match ip address INTERNET_BOUND_ACL

Internet-bound ACL:

ip access-list extended INTERNET_BOUND_ACL

deny   ip 10.10.0.0 0.0.7.255 10.10.12.0 0.0.0.255

permit ip 10.10.0.0 0.0.7.255 any

permit ip 10.10.255.252 0.0.0.3 any

If I remove the One-to-One NAT statement, both the Site-to-Site VPN and Remote VPNs can communicate with the relevant inside local IP.  With the One-to-One NAT statement active, only the Remote VPN can communicate successfully (as the NAT statement change the packets source address to the inside global IP). 

Why is the One-to-One NAT statement only applying to packets destined for our Site-to-Site VPNs, and what is the appropriate way to prevent this?

Thank you