Here is the ip route of Omaha. I will post the configs in separate posts.

Omaha_mpls#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.0.25 to network 204.76.10.0

S*    0.0.0.0/0 [20/0] via 192.168.0.25
      4.0.0.0/29 is subnetted, 1 subnets
B        4.28.237.88 [20/0] via 192.168.0.25, 6w6d
      64.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B        64.210.123.31/32 [20/0] via 192.168.0.25, 6w6d
B        64.211.191.248/30 [20/0] via 192.168.0.25, 6w6d
      162.97.0.0/16 is variably subnetted, 3 subnets, 2 masks
B        162.97.0.26/32 [20/0] via 192.168.0.25, 6w6d
B        162.97.88.52/30 [20/0] via 192.168.0.25, 6w6d
B        162.97.89.200/30 [20/0] via 192.168.0.25, 6w6d
      172.16.0.0/16 is variably subnetted, 13 subnets, 5 masks
B        172.16.0.0/16 [20/0] via 192.168.0.25, 6w6d
B        172.16.11.128/26 [20/0] via 192.168.0.25, 6w6d
B        172.16.14.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.14.0/25 [20/0] via 192.168.0.25, 5w1d
B        172.16.15.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.15.0/25 [20/0] via 192.168.0.25, 3d10h
B        172.16.16.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.16.0/25 [20/0] via 192.168.0.25, 1d05h
B        172.16.17.0/24 [20/0] via 192.168.0.25, 6w6d
B        172.16.18.0/24 [20/0] via 192.168.0.25, 6w6d
C        172.16.18.0/25 is directly connected, GigabitEthernet0/0/0
L        172.16.18.2/32 is directly connected, GigabitEthernet0/0/0
B        172.16.180.0/24 [20/0] via 192.168.0.25, 5w1d
      172.17.0.0/24 is subnetted, 1 subnets
B        172.17.26.0 [20/0] via 192.168.0.25, 6w6d
      172.20.0.0/24 is subnetted, 1 subnets
B        172.20.1.0 [20/0] via 192.168.0.25, 6w6d
      192.168.0.0/24 is variably subnetted, 7 subnets, 2 masks
B        192.168.0.8/30 [20/0] via 192.168.0.25, 6w6d
B        192.168.0.12/30 [20/0] via 192.168.0.25, 6w6d
B        192.168.0.16/30 [20/0] via 192.168.0.25, 6w6d
B        192.168.0.20/30 [20/0] via 192.168.0.25, 6w6d
C        192.168.0.24/30 is directly connected, GigabitEthernet0/0/1
L        192.168.0.26/32 is directly connected, GigabitEthernet0/0/1
B        192.168.0.32/30 [20/0] via 192.168.0.25, 6w6d
      192.168.10.0/30 is subnetted, 1 subnets
B        192.168.10.252 [20/0] via 192.168.0.25, 6w6d
      192.221.222.0/30 is subnetted, 6 subnets
B        192.221.222.32 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.44 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.48 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.52 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.56 [20/0] via 192.168.0.25, 6w6d
B        192.221.222.60 [20/0] via 192.168.0.25, 6w6d
      192.233.90.0/30 is subnetted, 1 subnets
B        192.233.90.248 [20/0] via 192.168.0.25, 6w6d
      192.233.91.0/30 is subnetted, 1 subnets
B        192.233.91.72 [20/0] via 192.168.0.25, 6w6d
      192.233.93.0/30 is subnetted, 1 subnets
B        192.233.93.24 [20/0] via 192.168.0.25, 6w6d
      199.76.222.0/30 is subnetted, 1 subnets
B        199.76.222.188 [20/0] via 192.168.0.25, 6w6d
B     204.76.8.0/24 [20/0] via 192.168.0.25, 6w6d
B*    204.76.10.0/24 [20/0] via 192.168.0.25, 6w6d
B     204.76.13.0/24 [20/0] via 192.168.0.25, 6w6d
      208.49.240.0/29 is subnetted, 1 subnets
B        208.49.240.40 [20/0] via 192.168.0.25, 6w6d
      208.50.228.0/25 is subnetted, 1 subnets
B        208.50.228.128 [20/0] via 192.168.0.25, 2w0d
      209.130.198.0/28 is subnetted, 1 subnets
B        209.130.198.64 [20/0] via 192.168.0.25, 6w6d

Here is Omaha:

Current configuration : 6893 bytes
!
! Last configuration change at 05:15:11 CST Wed Dec 27 2017 by dmpeter
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname Omaha_mpls
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical

!
aaa new-model
!
!
aaa group server tacacs+ taclogin
 server name AUTH
!
aaa authentication attempts login 5
aaa authentication login default group taclogin local
aaa accounting exec tac_acct start-stop group taclogin
aaa accounting commands 15 tac_acct start-stop group taclogin
aaa accounting network tac_acct start-stop group taclogin
aaa accounting connection tac_acct start-stop group taclogin
!
!
!
!
!
!
aaa session-id common
clock timezone CST 4 0
clock summer-time CST recurring
no ip source-route
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
!        

no ip bootp server

no ip domain lookup
ip domain name neca.org
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow exporter Cascade
 destination 172.xx.x.xx
!
!
flow monitor CasMon
 exporter Cascade
 record netflow-original
!
!
!
!
crypto pki trustpoint TP-self-signed-1520460634
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1520460634
 revocation-check none
 rsakeypair TP-self-signed-1520460634
!
!

!
spanning-tree extend system-id
!

!
redundancy
 mode none
!
!
no cdp run
!
ip tcp synwait-time 10
!
!
!
!
!
interface GigabitEthernet0/0/0
 description Inside Office
 ip address 172.16.18.2 255.255.255.128
 ip helper-address 172.16.18.15
 no ip redirects
 ip pim sparse-dense-mode
 ip flow monitor CasMon input
 ip access-group 107 in
 standby 1 ip 172.16.18.1
 standby 1 priority 80
 standby 1 preempt
 media-type rj45
 speed 100
 no negotiation auto
!
interface GigabitEthernet0/0/1
 description ISP Side
 bandwidth 10240
 ip address 192.168.0.26 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-dense-mode
 ip nbar protocol-discovery
 ip flow monitor CasMon input
 speed 100
 no negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
router bgp 19094
 bgp log-neighbor-changes
 network 172.16.18.0 mask 255.255.255.128
 neighbor 192.168.0.25 remote-as 3549
 neighbor 192.168.0.25 version 4
 neighbor 192.168.0.25 soft-reconfiguration inbound
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite rc4-128-sha
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/0
ip default-network 204.76.10.0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip bgp-community new-format
!
logging trap debugging
logging host 172.20.1.20
access-list 99 permit 0.0.0.0
access-list 107 permit tcp host 172.20.1.99 eq tacacs host 172.16.18.2
access-list 107 deny   tcp any any eq 161
access-list 107 deny   tcp any any eq 162
access-list 107 deny   tcp any any eq 199
access-list 107 deny   udp any any eq 199
access-list 107 deny   tcp any any eq 391
access-list 107 deny   udp any any eq 391
access-list 107 deny   tcp any any eq 705
access-list 107 deny   tcp any any eq 1993
access-list 107 deny   udp any any eq 1993
access-list 107 permit ip any any
access-list 110 remark admin access
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 172.0.0.0 0.255.255.255 any
access-list 110 permit ip 204.76.10.0 0.0.0.255 any
access-list 110 permit ip 204.76.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip any any
access-list 190 permit ip any any precedence critical
access-list 191 permit tcp any eq www any
access-list 191 permit tcp any eq 443 any
!

!
tacacs-server timeout 10
tacacs-server directed-request
tacacs server AUTH
 address ipv4 172.20.1.99
 
!
!
!
control-plane
!
banner login ^Cc
You have accessed a confidential and proprietary computing network.  Access beyond this point is unlawful without previous authorization from NECA.^C
!
line con 0
 exec-timeout 5 0
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 transport output telnet
 stopbits 1
line aux 0
 exec-timeout 4 0
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 transport output telnet
 stopbits 1
line vty 0 4
 access-class 110 in
 exec-timeout 4 0
 privilege level 15
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 length 0
 transport input ssh
!
ntp authenticate

!
end

Here is St. Louis:

Current configuration : 7972 bytes
!
! Last configuration change at 05:44:43 CST Wed Dec 27 2017 by dmpeter
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no platform punt-keepalive disable-kernel-core
!
hostname StLouis_mpls
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical

aaa new-model
!
!
aaa group server tacacs+ taclogin
 server name AUTH
!
aaa authentication attempts login 5
aaa authentication login default group taclogin local
aaa accounting exec tac_acct start-stop group taclogin
aaa accounting commands 15 tac_acct start-stop group taclogin
aaa accounting network tac_acct start-stop group taclogin
aaa accounting connection tac_acct start-stop group taclogin
!
!
!
!
!
!
aaa session-id common
clock timezone CST 4 0
clock summer-time CST recurring
no ip source-route
!
ip multicast-routing distributed
!
!
!
!
!
!
!
!
!
!        

no ip bootp server

no ip domain lookup

!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow exporter Cascade
 destination 172.xx.x.xx
!
!
flow monitor CasMon
 exporter Cascade
 record netflow-original
!
!
!
!
crypto pki trustpoint TP-self-signed-2293929639
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2293929639
 revocation-check none
 rsakeypair TP-self-signed-2293929639
!
!

!
spanning-tree extend system-id
!

!
redundancy
 mode none
!
!
no cdp run
!
ip tcp synwait-time 10
!
!
!
!
!
interface GigabitEthernet0/0/0
 description Inside Office
 ip address 172.16.16.2 255.255.255.128
 ip helper-address 172.16.16.15
 no ip redirects
 ip nat inside
 ip pim sparse-dense-mode
 ip flow monitor CasMon input
 ip access-group 107 in
 standby 1 ip 172.16.16.1
 standby 1 priority 80
 standby 1 preempt
 media-type rj45
 speed 100
 no negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 description ISP Side
 bandwidth 20480
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip pim sparse-dense-mode
 ip nbar protocol-discovery
 ip flow monitor CasMon input
 speed 100
 no negotiation auto
!
interface GigabitEthernet0/0/1.1
 description VPN VLAN
 encapsulation dot1Q 2291
 ip address 192.168.0.18 255.255.255.252
 ip flow monitor CasMon input
 ip policy route-map vpndia
 no cdp enable
!
interface GigabitEthernet0/0/1.2
 description DIA
 encapsulation dot1Q 200
 ip address 64.215.113.38 255.255.255.252
 ip nat outside
 ip flow monitor CasMon input
 ip policy route-map vpndia
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
router bgp 21616
 bgp log-neighbor-changes
 network 172.16.16.0 mask 255.255.255.128
 neighbor 192.168.0.17 remote-as 3549
 neighbor 192.168.0.17 version 4
 neighbor 192.168.0.17 soft-reconfiguration inbound
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source list 13 interface GigabitEthernet0/0/1.2 overload
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite rc4-128-sha
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0/0/0
ip default-network 204.76.10.0
ip route 0.0.0.0 0.0.0.0 64.215.113.37
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip bgp-community new-format
!
logging trap debugging
logging host 172.20.1.20
access-list 13 permit any
access-list 99 permit 0.0.0.0
access-list 107 permit tcp host 172.20.1.99 eq tacacs host 172.16.16.2
access-list 107 deny   tcp any any eq 161
access-list 107 deny   tcp any any eq 162
access-list 107 deny   tcp any any eq 199
access-list 107 deny   udp any any eq 199
access-list 107 deny   tcp any any eq 391
access-list 107 deny   udp any any eq 391
access-list 107 deny   tcp any any eq 705
access-list 107 deny   tcp any any eq 1993
access-list 107 deny   udp any any eq 1993
access-list 107 permit ip any any
access-list 110 remark admin access
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 172.0.0.0 0.255.255.255 any
access-list 110 permit ip 204.76.10.0 0.0.0.255 any
access-list 110 permit ip 204.76.13.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip any any
access-list 120 permit ip 172.0.0.0 0.255.255.255 any
access-list 120 permit ip 204.76.10.0 0.0.0.255 any
access-list 120 permit ip 204.76.13.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.255.255 any
access-list 190 permit ip any any precedence critical
access-list 191 permit tcp any eq www any
access-list 191 permit tcp any eq 443 any
!
route-map vpndia permit 10
 match ip address 120
 set default interface GigabitEthernet0/0/1.1
!
route-map vpndia permit 20
 set default interface GigabitEthernet0/0/1.2
!

!
tacacs-server timeout 10
tacacs-server directed-request
tacacs server AUTH
 address ipv4 172.20.1.99
 
!
!        
!
control-plane
!
banner login ^C
You have accessed a confidential and proprietary computing network.  Access beyond this point is unlawful without previous authorization from NECA.^C
!
line con 0
 exec-timeout 5 0
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 transport output telnet
 stopbits 1
line aux 0
 exec-timeout 4 0
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 transport output telnet
 stopbits 1
line vty 0 4
 access-class 110 in
 exec-timeout 4 0
 privilege level 15
 accounting connection tac_acct
 accounting commands 15 tac_acct
 accounting exec tac_acct
 length 0
 transport input ssh
!

!
end

Hello,

thanks for the configs, I will have a look...

Hello,

on your St. Louis router, what is the purpose of the route map on the outgoing interface ?

interface GigabitEthernet0/0/1.2
description DIA
encapsulation dot1Q 200
ip address 64.215.113.38 255.255.255.252
ip nat outside
ip flow monitor CasMon input
ip policy route-map vpndia
no cdp enable
ip virtual-reassembly

Try and delete that from the interface configuration. The rest of your NAT configuration and the routing looks good.

Thanks...Let me try that in the morning and I will let you know...

Same result. Hits the VPN ip but not the DIA...