Here are my sub interfaces:

interface GigabitEthernet0/2.1
 description POS Zone, Out PCI Scope, Non CDE
 encapsulation dot1Q 1 native
 ip address 192.168.1.2 255.255.255.224
 
interface GigabitEthernet0/2.2
 description Kiosk and Backroom Zone, Out of PCI Scope, No CDE
 encapsulation dot1Q 2
 ip address 192.168.244.1 255.255.255.0
 
interface GigabitEthernet0/2.3
 description Wireless Zone, Out of PCI Scope, No CDE
 encapsulation dot1Q 3
 ip address 192.168.233.1 255.255.255.224
 
interface GigabitEthernet0/2.4
 description Unfiltered Internet, Out of PCI Scope, No CDE, !IR Configuration Only!
 encapsulation dot1Q 4
 ip address 192.168.220.1 255.255.255.224
 
interface GigabitEthernet0/2.5
 description EFT Communications, In PCI Scope, CDE
 encapsulation dot1Q 5
 ip address 192.168.122.1 255.255.255.224

I don't see nat enabled on your subinterfaces. Can you post the complete config of g0/2.1 for starters and the wan interface (removing the public address), the nat config and any acls used in nat?

Thanks,

John

interface GigabitEthernet0/0
 description Primary Link to Internet WAN1 - Static
 ip ddns update hostname FOC1*******
 ip ddns update dyndns host dynamiknow.ipass.com
 ip address 64.237.x.x 255.255.255.248
 ip access-group Wan_2_Local in
 ip access-group Wan_2_Internet out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 standby version 2
 standby 1 ip 64.237.x.x
 standby 1 timers 5 15
 standby 1 priority 101
 standby 1 preempt
 standby 1 authentication *H4L
 standby 1 name *_WAN1
 standby 1 track 456 decrement 10
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map Broadband

interface GigabitEthernet0/2.1
 description POS Zone, Out PCI Scope, Non CDE
 encapsulation dot1Q 1 native
 ip address 192.168.1.2 255.255.255.224
 ip access-group POS-IR_VLAN_In in
 ip access-group DENY_SUBNETS out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1400
 ip nat inside
 ip nat enable
 ip inspect DEFAULT100 in
 ip inspect DEFAULT100 out
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx
 standby version 2
 standby 3 ip 192.168.1.1
 standby 3 timers 5 15
 standby 3 priority 101
 standby 3 preempt
 standby 3 authentication *L@n
 standby 3 name *_LAN
 standby 3 track 456 decrement 10
 no ip route-cache
 ip tcp adjust-mss 1360
 ntp disable

ip nat inside source route-map INTERNET interface GigabitEthernet0/0 overload
ip nat inside source route-map INTERNET_DIAL interface GigabitEthernet0/1 overload

ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.1
ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.2
ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.3
ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.4
ip route 172.30.183.128 255.255.255.192 GigabitEthernet0/2.5

route-map INTERNET permit 10
 match ip address 110
 match interface GigabitEthernet0/0
 set ip next-hop 64.237.117.145
!
route-map INTERNET_DIAL permit 10
 match ip address 110
 match interface GigabitEthernet0/1
 set ip next-hop 2.2.2.1

Gateway of last resort is 2.2.2.1 to network 0.0.0.0

S*    0.0.0.0/0 [200/0] via 2.2.2.1
      2.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        2.2.2.0/29 is directly connected, GigabitEthernet0/1
L        2.2.2.2/32 is directly connected, GigabitEthernet0/1
      4.0.0.0/32 is subnetted, 3 subnets
S        4.2.2.1 is directly connected
S        4.2.2.2 [200/0] via 2.2.2.1
S        4.2.2.3 is directly connected
      7.0.0.0/28 is subnetted, 1 subnets
S        7.7.7.16 is directly connected, GigabitEthernet0/0
      8.0.0.0/32 is subnetted, 1 subnets
S        8.8.8.8 [200/0] via 2.2.2.1
      64.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        64.237.x.x/29 is directly connected, GigabitEthernet0/0
L        64.237.x.x/32 is directly connected, GigabitEthernet0/0
      156.79.0.0/32 is subnetted, 3 subnets
S        156.79.x.x [200/0] via 2.2.2.1
S        156.79.x.x [1/0] via 64.237.117.145
S        156.79.x.x [1/0] via 64.237.117.145
      172.29.0.0/27 is subnetted, 1 subnets
S        172.29.0.0 [200/0] via 2.2.2.1
      172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
S        172.30.63.224/27 [200/0] via 2.2.2.1
S        172.30.183.128/26 is directly connected, GigabitEthernet0/2.5
                           is directly connected, GigabitEthernet0/2.4
                           is directly connected, GigabitEthernet0/2.3
                           is directly connected, GigabitEthernet0/2.2
                           is directly connected, GigabitEthernet0/2.1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/27 is directly connected, GigabitEthernet0/2.1
L        192.168.1.2/32 is directly connected, GigabitEthernet0/2.1
      192.168.122.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.122.0/27 is directly connected, GigabitEthernet0/2.5
L        192.168.122.1/32 is directly connected, GigabitEthernet0/2.5
S     192.168.168.0/23 [200/0] via 2.2.2.1
S     192.168.170.0/23 [200/0] via 2.2.2.1
      192.168.220.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.220.0/27 is directly connected, GigabitEthernet0/2.4
L        192.168.220.1/32 is directly connected, GigabitEthernet0/2.4
      192.168.233.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.233.0/27 is directly connected, GigabitEthernet0/2.3
L        192.168.233.1/32 is directly connected, GigabitEthernet0/2.3
      192.168.244.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.244.0/24 is directly connected, GigabitEthernet0/2.2
L        192.168.244.1/32 is directly connected, GigabitEthernet0/2.2
      216.231.x.x/32 is subnetted, 1 subnets
S        216.231.x.x [1/0] via 64.237.117.145
      216.231.x.x/32 is subnetted, 1 subnets
S        216.231.x.x [200/0] via 2.2.2.1
S     216.231.x.x/24 [200/0] via 2.2.2.1

HM-HUB025-WIN64-3925-Primary#ping 4.2.2.2 source gigabitEthernet 0/2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/90/96 ms
HM-HUB025-WIN64-3925-Primary#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 2.2.2.2:1794      192.168.1.2:1794   4.2.2.2:1794       4.2.2.2:1794

When I ping a host on the other end of the tunnel, it never translates to the unique subnet assigned.

HM-HUB025-WIN64-3925-Primary#ping 192.168.169.68 source gigabitEthernet 0/2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.169.68, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.2
....
Success rate is 0 percent (0/4)
HM-HUB025-WIN64-3925-Primary#sh ip nat tr
HM-HUB025-WIN64-3925-Primary#sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 172.30.183.129     192.168.1.1        ---                ---
--- 172.30.183.130     192.168.1.4        ---                ---
--- 172.30.183.131     192.168.1.5        ---                ---
--- 172.30.183.132     192.168.1.6        ---                ---
--- 172.30.183.133     192.168.1.7        ---                ---
--- 172.30.183.134     192.168.1.8        ---                ---
--- 172.30.183.135     192.168.1.9        ---                ---

I Get Matches so I am just lost now. What did I miss? 2.2.2.0/29 subnet is just a randowm subnet we assigned behind our 3G/4G device connected to the backup interface Gig0/1

First, take the "ip nat enable" config off of the interface. You're not using the NVI for nat in your current nat config. IP Nat enable is for when you're using ip nat statements with no direction.

Second, so are you telling us that it nats fine outside of the tunnel, but it doesn't work over the tunnel?

Ya sorry about those, ip nat enable statements. I added after I did not see Nat working to see if it made a difference. Of course it did not.

Yes, so Nat overload works but Nat thru IPSEC tunnel does not.

Here is my encryption ACL. On 1811 router, everything works.

ip access-list extended To-*
 permit ip 172.30.183.128 0.0.0.63 host 139.131.98.23
 permit ip 172.30.183.128 0.0.0.63 192.168.168.0 0.0.1.255
 permit ip 172.30.183.128 0.0.0.63 192.168.170.0 0.0.1.255
 permit ip 172.30.183.128 0.0.0.63 7.7.7.16 0.0.0.15
 permit ip 172.30.183.128 0.0.0.63 192.168.21.192 0.0.0.15
 permit ip 172.30.183.128 0.0.0.63 172.30.63.224 0.0.0.31

crypto map Broadband 25 ipsec-isakmp 
 description *** Broadband IPSEC to Concentrators at * ***
 dialer pre-classify
 set peer 156.79.106.7
 set transform-set *mark 
 match address To-*

Unless someone else comes along and can see the problem, I'll have to lab this up tonight to see if I can replicate it. Have you looked at Cisco bugtraq to see if you can find anything related to this?

Hi,

I have a similar situation on a 3925 running IOS 15.3.3M5.  I noticed that if I add my config, and then straight away ping from a remove host through the VPN, the first ping responded, but then never again.   If I remove and add my NAT statement, it was reproducible.

If I do this using separate interfaces as opposed to subinterfaces then I have no problem.

Did you manage to get to the bottom of your problem?