Cisco Router: How To 'NAT' Site-To-Site VPN Traffic On A Cisco IOS Router

I got an email from a fellow IT guy inquiring about NAT'ing VPN traffic on a Cisco router.  He referenced a post that I had back in 2011, but I realized that post was for an ASA after we started talking.  So, I thought I should post how you would do this on a Cisco router.  Thanks J for asking me to do this.  I should have done this sooner.  Here is the configuration side for the router with notes to explain what is going on in the config below.  Also, just note that on ACLs, I tend to use numbers.  Use what you like.  Also, name your route-map what you like as well.  It makes no difference.

Phase I config:
crypto isakmp policy 10
 encryption aes
 hash md5
 authentication pre-share
 group 2

Set your peer and VPN pre-shared key.  Use 'no-xauth' so that the site-to-site VPN doesnt have to 'login':
crypto isakmp key PASSKEY address 4.4.2.2 no-xauth
crypto isakmp keepalive 20 3 periodic

Phase II config.  Transform-set is called 'to_remote':
crypto ipsec transform-set to_remote esp-aes 256 esp-sha-hmac

Configure the NAT.  Source address range of 192.168.108.0 and destinations of 192.168.75.0 and 76.0:
access-list 133 permit ip 192.168.108.0 0.0.0.255 192.168.76.0 0.0.0.255
access-list 133 permit ip 192.168.108.0 0.0.0.255 192.168.75.0 0.0.0.255

Create a route-map called 'static-vpn' and match traffic to ACL 133:
route-map static-vpn
  match ip address 133

Create a NAT-POOL for the public IP address (or range) you want to use to NAT to.  In this case, Im NAT'ing to 10.50.1.10:
ip nat pool NAT-POOL 10.50.1.10 10.50.1.10 netmask 255.255.255.255

Create a NAT rule to use the route-map 'static-vpn'.  Upon a match to ACL 133, NAT that traffic to one of the NAT-POOL addresses (10.50.1.10):
ip nat inside source route-map static-vpn pool NAT-POOL Overload

Once you have configured the NAT you need to modify the interesting traffic.  You need your 'interesting traffic'  ACL 121 to look like this below.  10.50.1.10 is the IP address you are NAT'ing to:
access-list 121 permit ip host 10.50.1.10 192.168.76.0 0.0.0.255
access-list 121 permit ip host 10.50.1.10 192.168.75.0 0.0.0.255

Define your VPN peer, apply phase II and matching ACL for interesting traffic:
crypto map to_clearwinds 5 ipsec-isakmp
 set peer 4.4.2.2
 set transform-set to_remote
 match address 121
 qos pre-classify

Apply the crypto map to the public interface and tell the public interface that its part in NAT is on the public side:
interface GigabitEthernet0/0
 ip address 12.X.X.186 255.255.255.248
 ip nat outside
crypto map to_remote

Tell the inside interface that its part in NAT is the internal side:
interface GigabitEthernet0/1
 ip address 192.168.108.1 255.255.255.0
 ip nat inside