When you ping internal device in the networks that are not reachable, do the decrypt-counters in "sh crypto ipsec sa" increase? Then the client can successfully send the packeckets but the return path fails.
What is your complete NAT-config?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni