Split tunnel QoS?

Good afternoon,

I've been racking my brain for a good 10 days now and can't really make sense of what I'm seeing.

I have (2) Cisco routers -- (1) at HQ and (1) at a site office. These (2) routers have an IPSec tunnel between them both (loosely) following this guide: http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

I have (2) VLAN's which I care about -- VLAN10 and VLAN20. VLAN10 is for LAN and VLAN20 is for Voice. The SIP provider is cloud based, so having voice traverse the tunnel just adds extra overhead/latency/etc. so I'd prefer a split tunnel approach.

This works, and works well... until I want QoS with NAT.

My configuration is as below: ! version 15.5 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname TEST01 ! boot-start-marker boot-end-marker ! enable secret 5 <NO DICE> ! no aaa new-model ethernet lmi ce memory-size iomem 10 ! ip dhcp excluded-address 10.99.10.1 10.99.10.99 ip dhcp excluded-address 10.99.10.200 10.99.10.254 ip dhcp excluded-address 10.99.20.1 10.99.20.99 ip dhcp excluded-address 10.99.20.200 10.99.20.254 ! ip dhcp pool Data network 10.99.10.0 255.255.255.0 update dns override default-router 10.99.10.1 dns-server 10.0.200.10 10.0.200.20 ! ip dhcp pool Voice network 10.99.20.0 255.255.255.0 default-router 10.99.20.1 dns-server 8.8.8.8 8.8.4.4 ! no ip domain lookup ip domain name <NO DICE> ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip cef no ipv6 cef ! multilink bundle-name authenticated license udi pid CISCO881-SEC-K9 sn <NO DICE> ! username <NO DICE> password 7 <NO DICE> ! class-map match-any class-voice match access-group name VLAN20 ! policy-map policy-voice class class-voice priority percent 25 policy-map policy-parent class class-default shape average percent 75 service-policy policy-voice ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp key VPN@Auth address IP_ADDRESS_GOES_HERE crypto isakmp invalid-spi-recovery crypto isakmp keepalive 30 5 periodic ! crypto ipsec transform-set Encrypt-AES esp-aes esp-sha-hmac mode tunnel ! crypto map VPN 10 ipsec-isakmp description *** IPSec Tunnel to TUN01 *** set peer IP_ADDRESS_GOES_HERE set transform-set Encrypt-AES match address VPN-Traffic qos pre-classify ! interface FastEthernet0 switchport access vlan 10 no ip address spanning-tree portfast ! interface FastEthernet1 switchport access vlan 20 no ip address spanning-tree portfast ! ! ! interface FastEthernet4 description *** WAN - ADSL - 10/1 MBit *** bandwidth 8500 bandwidth receive 850 ip address IP_ADDRESS_GOES_HERE 255.255.255.240 ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map VPN service-policy output policy-parent ! interface Vlan1 no ip address shutdown ! interface Vlan10 description *** Data *** ip address 10.99.10.1 255.255.255.0 ip virtual-reassembly in ! interface Vlan20 description *** Voice *** ip address 10.99.20.1 255.255.255.0 ip nat inside ip virtual-reassembly in ! no ip forward-protocol nd no ip http server no ip http secure-server ! ip nat inside source list WAN-Traffic interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 24.114.6.193 ip ssh version 2 ! ip access-list extended VLAN20 permit ip 10.99.20.0 0.0.0.255 any ip access-list extended VPN-Traffic permit ip 10.99.10.0 0.0.0.255 any permit ip 10.99.20.0 0.0.0.255 any ip access-list extended WAN-Traffic ! control-plane ! line con 0 logging synchronous login local no modem enable line aux 0 line vty 0 4 password 7 <NO DICE> login local transport input ssh ! ! end 

In this current configuration, if I connect a workstation to port 1 (VLAN10), my traffic traverses the tunnel and if I issue the command "show policy-map interface fa4" -- I can see "class-default (match-any)" traffic counters increasing.

If I repeat the above with port 2 (VLAN20), I can see "class-voice" traffic counters increasing.

What I WANT to do is change my ACL to the following:

ip access-list extended VPN-Traffic permit ip 10.99.10.0 0.0.0.255 any ip access-list extended WAN-Traffic permit ip 10.99.20.0 0.0.0.255 any 

... But whenever I do this, "class-voice" traffic counters stop increasing and, everything gets grouped as "class-default (match-any)" instead. I'm seriously at a loss here, it doesn't make sense to me why this is happening.

Any assistance or pointers would be greatly appreciated.

Thank-you!