You really need to diag debug the flow and stop wasting time. Their' s no NAT-T option or configuration in the native cisco vpnclient that I' m aware of.
It either does ike/500/4500 and tunnels ESP or uses tcp/udp-10000 and tunnels ESP, so if you have those ports and services created and/or a blanket allow ANY, then your client would work if the far end is accepting connections.
note: you can set the tunnel port # on most vpnclients
Also,
if the client is on a remote host such as notebook, take it off your wire to a hotspot/cafe and try externally. If it works outside of your network, re-investigate your firewall or local uplink for any filters.
If the above is not doable, download the pcf file into something that' s mobile and repeat the above action.
But diag debug flow is really your friend here along with diag sniffer
I would also double check they are not filter anything by src, or you have any other policies denying traffic from that src or possible nat issues.