I made an IPsec tunnel between our CSR 1000v (AWS) and the LTE service provider router (ASR) and I can ping both sides of Tunnel with the following architecture:

           |<---> internet <---> 134.231.4.100 web server
CSR 1000v: |GigabitEthernet1 12.21.0.134 (mapped to Elastic IP 54.154.54.AAA)
           |GigabitEthernet2 12.21.4.50 (private sub-net)
           |
      IPSec Tunnel
           |
           ASR: 10.0.16.1 (mapped to Elastic IP 54.229.30.BBB)
           |
           Field Device 10.0.16.100

We need to access our web server with the public IP 134.231.4.100, and by setting the NAT I can access it (or any public IP address) from domain within 12.21.0.0/16 range, where the NAT access list is set as:

CSR1000#show access-lists
Standard IP access list GS_NAT_ACL
10 permit 192.168.35.0, wildcard bits 0.0.0.255
Extended IP access list NAT-LAN
10 permit ip 12.21.4.0 0.0.0.255 any

I need also to make a traffic between nodes behind the IPsec tunnel (10.0.16/22), so I extended the NAT-LAN access-lists to:

CSR1000#show access-lists NAT-LAN
Extended IP access list NAT-LAN
10 permit ip 12.21.4.0 0.0.0.255 any
20 permit ip 10.0.16.0 0.0.0.255 any

but I cannot ping the web server from the field device 10.0.16.100 (or nodes behind the IPsec tunnel). Could you please le me know if I need to add/modify configuration in order to give an internet access to the devices in the field (or forward the traffic from IPSec nodes to internet)?