>[оверквотинг удален]
> !
> ip access-list extended NAT
> permit 192.168.1.0 0.0.0.255 host 1.1.1.1
> !
> Правда я не совсем полностью твой конфиг "догнал" (ты и не весь
> его и выложил)
> Зачем делать пул если у тебя только по одному адресу идет??
> -- 20.20.20.20 20.20.20.20 --
> --10.10.10.10 10.10.10.10  --
> --  30.30.30.30 30.30.30.30  --

Спасибо тебе огромное McS555!
Только благодаря тебе я действительно увидел СВЕТ!
Ты привел строки, я им последовал... странно что icmp echo не проходит с "локалки" (ЛВС IP: 192.168.20.0/24), с самой CISCO icmp echo (проще говоря PING-и) проходят на хост 1.1.1.1 а вот при пингах с ЛВС с двух хостов (192.168.20.65 и 192.168.20.200) нет... странно, а по команде

CISCO-881#show ip nat translations | include 1.1.1.1
icmp 192.168.199.2:7363 192.168.20.65:7363 1.1.1.1:7363 1.1.1.1:7363
icmp 192.168.199.2:11098 192.168.20.200:11098 1.1.1.1:11098 1.1.1.1:8
CISCO-881#
видно что вроде как трнасляция есть... а icmp echo нет
Пинги с самой CISCO:
CISCO-881#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/25/28 ms
CISCO-881#

Текущий КОНФИГ:
CISCO-881#show config
Using 13648 out of 262136 bytes
!
! Last configuration change at 14:41:44 UTC Sun Mar 31 2013 by root
! NVRAM config last updated at 14:41:45 UTC Sun Mar 31 2013 by root
! NVRAM config last updated at 14:41:45 UTC Sun Mar 31 2013 by root
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname CISCO-881
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization network default local
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
no ip bootp server
ip domain name ххххх.ru
ip name-server 192.168.20.1
ip name-server 192.168.20.8
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
!
license udi pid CISCO881
!
!
archive
log config
  hidekeys
!
no spanning-tree vlan 1
no spanning-tree vlan 2
no spanning-tree vlan 3
no spanning-tree vlan 4
username root privilege 15 password 7
username derek password 7
!
track 100 ip sla 100 reachability
!
track 200 ip sla 200 reachability
!
track 300 ip sla 300 reachability
!
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ***** address 50.50.50.50
!
!
crypto ipsec transform-set ANKS esp-3des esp-md5-hmac
!
crypto ipsec profile IPSEC
set transform-set ANKS
!
interface Tunnel1
description TS
bandwidth 10000
ip address 192.168.10.2 255.255.255.252
ip mtu 1468
tunnel source Vlan2
tunnel destination xx.xx.xx.xx
!
interface Tunnel2
description PRIVATE-SERVICE
ip address 192.168.199.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
tunnel source Vlan3
tunnel destination 50.50.50.50
tunnel protection ipsec profile IPSEC
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 3
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly in
peer default ip address pool vpnclient
ppp encrypt mppe auto
ppp authentication chap eap ms-chap ms-chap-v2 pap
!
interface Vlan1
description LAN
ip address 192.168.20.230 255.255.255.0
ip address 192.168.30.1 255.255.255.0 secondary
ip nat inside
ip virtual-reassembly in max-reassemblies 64
ip tcp adjust-mss 1452
!
interface Vlan2
description TELECOM1
ip address 10.10.10.10 255.255.255.0
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in max-reassemblies 64
!
interface Vlan3
description TELECOM2
ip address 20.20.20.20 255.255.255.252
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 64
!
ip local policy route-map RMAP
ip local pool vpnclient 192.168.30.2 192.168.30.50
ip forward-protocol nd
no ip http server
no ip http secure-server
ip flow-export version 5
ip flow-export destination 192.168.20.242 5678
!
ip nat pool TELECOM1Pool 10.10.10.10 10.10.10.10 netmask 255.255.255.0
ip nat pool TELECOM2Pool 20.20.20.20 20.20.20.20 netmask 255.255.255.252
ip nat inside source list PRIVATE-SERVICE_NAT interface Tunnel2 overload
ip nat inside source route-map TELECOM1_NAT pool TELECOM1Pool overload
ip nat inside source route-map TELECOM2_NAT pool TELECOM2Pool overload
ip route 0.0.0.0 0.0.0.0 10.10.10.9 10 track 100
ip route 0.0.0.0 0.0.0.0 20.20.20.19 20 track 200
ip route 1.1.1.1 255.255.255.255 Tunnel2
!
ip access-list extended ACL_NAT
permit ip host 192.168.20.65 any
permit ip host 192.168.20.200 any
deny   ip host 192.168.20.0 0.0.0.255 1.1.1.1
ip access-list extended ACL_SLA_TELECOM1
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended ACL_SLA_TELECOM2
permit ip 20.20.20.0 0.0.0.255 any
ip access-list extended PRIVATE-SERVICE_NAT
permit ip 192.168.20.0 0.0.0.255 host 1.1.1.1
!
ip sla 100
icmp-echo 8.8.8.8 source-ip 10.10.10.10
frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
icmp-echo 8.8.8.8 source-ip 20.20.20.20
frequency 5
ip sla schedule 200 life forever start-time now
access-list 23 permit 192.168.20.65
access-list 23 permit 192.168.20.200
no cdp run
!
route-map RMAP permit 10
match ip address ACL_SLA_TELECOM1
set ip next-hop 10.10.10.254
!
route-map RMAP permit 20
match ip address ACL_SLA_TELECOM2
set ip next-hop 20.20.20.19
!
route-map TELECOM1_NAT permit 100
match ip address ACL_NAT
match interface Vlan2
!
route-map TELECOM2_NAT permit 100
match ip address ACL_NAT
match interface Vlan3
!
snmp-server community public RO
snmp-server community private RW
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
!
end