The two ports on the bottom of the 1784-NATR are part of an embedded switch that supports Device-Level Ring (DLR) fast fault tolerant ring architecture. It sounds like you are not using the DLR feature.
The device's "Private" LAN interface has only one IP address, even though there are two physical ports and two MAC IDs.
Generally when any TCP/IP device can't be accessed via a VPN or network bridge, but can be accessed from an address on the enterprise network (often in the building) it is because the Default Gateway address configured for the device does not specify the gateway correctly.
But your devices that you posted screenshots of (thank you !) have the same Default Gateway configured for the enterprise network side: 192.168.140.254.
I presume you've checked the devices and are sure the OK LED isn't flashing red, indicating a duplicate IP address. Such conflicts will also show on the Address Conflict Detection tab.
How many 1:1 NAT address "rules" do you configure each device for ? I noticed that the devices are only two host numbers apart (192.168.140.65 and 192.168.140.67).
Have you been able to try changing the Private physical connection for the 1784-NATRs that can't be accessed via VPN to the bottom-forward interface ?