If the client host is configured as a Firewall client, you must make sure that the destinations reachable through the VPN tunnel are not redirected to the Firewall service on ISA server. The simplest solution for that problem is to disable the Firewall client for the duration of the VPN session. If that isn't a workable solution in your environment, you will have to fine tune the Firewall client configuration. More precisely, you should put the network ID's reachable through the VPN tunnel in the LAT. Because only a very small number of internal hosts should be involved, I would make the Firewall client configuration changes only on the client host and not globally on the ISA server. Otherwise, you should not allow a client-to-gateway VPN scenario through ISA server, but go for a gateway-to-gateway VPN scenario with ISA server as the VPN endpoint.
To make the Firewall client configuration changes on the client host, use a text editor to create a custom client LAT file named Locallat.txt and place it into the Microsoft Firewall Client folder on the client computer. You can add there additional IP address ranges that the client recognizes as part of the internal network. The Firewall client uses both the Msplat.txt and Locallat.txt files to determine which IP addresses should not be redirected to the Firewall service on ISA server. For more info, check out the section Firewall Client components in the ISA help file.