VPN

Simultaneous operation of easyvpn and nat on the client router?

Synopsis:
Cisco 891 router:
Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2)
I configure it to connect via easyvpn to the main router in the CO (2911/K9 with Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2))
Pieces of the 891 config that relate to the problem:

==============<br/>
<code>crypto ipsec client ezvpn EzVPN_to_C1<br/>
 connect auto<br/>
 group FILIALS key My_Secret_Key<br/>
 mode network-plus<br/>
 peer 212.xxx.xxx.xxx default<br/>
 peer 212.xxx.xxx.xxx<br/>
 acl VPN_ACL<br/>
 virtual-interface 1<br/>
 username My_Client password My_Client<br/>
 xauth userid mode local<br/>
!<br/>
interface Loopback0<br/>
 ip address 10.10.10.10 255.255.255.255<br/>
!<br/>
!<br/>
interface Virtual-Template1 type tunnel<br/>
 ip unnumbered Loopback0<br/>
 ip tcp adjust-mss 1440<br/>
 !<br/>
!<br/>
interface GigabitEthernet0<br/>
 description ****** TO LOCAL NET *****<br/>
 ip address 192.168.85.254 255.255.255.0<br/>
 ip nat inside<br/>
 duplex auto<br/>
 speed auto<br/>
 crypto ipsec client ezvpn EzVPN_to_C1 inside<br/>
<br/>
!<br/>
!<br/>
interface Vlan1<br/>
 description ***** Primary Internet Channel ****<br/>
 ip address 172.20.100.1 255.255.255.252<br/>
 ip nat outside<br/>
 ip tcp adjust-mss 1452<br/>
 crypto ipsec client ezvpn EzVPN_to_C1<br/>
<br/>
ip nat inside source route-map NAT1 interface Vlan1 overload<br/>
ip route 0.0.0.0 0.0.0.0 172.20.100.2<br/>
ip access-list extended VPN_ACL<br/>
 permit ip 192.168.85.0 0.0.0.255 192.168.96.0 0.0.7.255<br/>
access-list 154 deny ip 192.168.85.0 0.0.0.255 192.168.96.0 0.0.7.255<br/>
access-list 154 permit ip any any<br/>
route-map NAT1 permit 10<br/>
 match ip address 154<br/>
 match interface Vlan1</code><br/>
===========================<br/>

gi0 - looks at the client network 192.168.85.0
Vlan1 - looks at the Internet (more precisely, at the yota modem, but this is not important in this case)
212.xxx.xxx.xxx - ip address of the central office (to which the connection is made via easyvpn)
192.168.96.0/21 - internal network of the
central office A piece of the central office router config (the one that relates to the problem)

=========<br/>
crypto isakmp client configuration group FILIALS<br/>
 key My_Secret_Key<br/>
 pool Filials<br/>
 acl CENTRAL_OFFICE<br/>
 save-password<br/>
!<br/>
ip local pool Filials 192.168.100.105 192.168.100.130<br/>
ip access-list extended CENTRAL_OFFICE<br/>
 permit ip 192.168.96.0 0.0.7.255 any<br/>
=============<br/>

And now the problem itself:
1) VPN is not up - nat on the branch works fine. From a client machine that is connected to the 891 router, I perfectly ping hosts on the Internet
2) I raise the VPN - it also works fine - I see (ping) the internal network of the central office
3) BUT: When the vpn is raised , nat stops working on the 891 router . That is, from a client machine, I can ping the CO network, but pings to the Internet (via nat on the 891m router) do not go.
Question: Besides choosing a profession, what did I do wrong?
PS: I set up nat on the router in the CO so that branches connected via ezvpn go to the Internet at least like that. But it's not pretty. For example, there is no access to the Yota modem at the branch in this case.