touristsis:
Thank you for providing the detailed information with this question; this is very helpful to assist in troubleshooting. I would like to suggest that in the future you attach the configurations instead of posting them inline This greatly enhances future viewers experience because the post would be much more succinct. I have deleted the two followup posts you made with the remote configuration and ports, but if you would re-add them as attachments, as well as edit the original post to add that configuration as an attachment that would be appreciated.
The main configuration change I would suggest is on the main router, in the Private policy-class. The entry "allow list private" is below the "nat source list wizard-ics interface eth 0/1 overload." Since the most specific entry takes precedence, the "allow list private" will not be used, because the NAT statement above it will match all traffic and NAT the source address to the IP address of Ethernet 0/1. Therefore, when the remote side tries to reply back to the main site, it will try to send traffic to the address of Ethernet 0/1 instead of the private IP address on VLAN 1. If you move the "allow list private" above the NAT statement, hopefully that will resolve the issue. Here is an example of what your configuration would look like (I also made this statement "stateless"):
ip policy-class Private
allow list self self
allow list private stateless
nat source list wizard-ics interface eth 0/1 overload
There are several portions of the configuration that I would recommend modifying because many aspects are not used in this design and may cause problems in the future. You have route-maps, duplicate and repeat ACLs, duplicate route statements, and on the remote router the firewall is enabled, but it is a private network and only one interface has a policy-class assigned to it. In the future I would recommend "cleaning up" both configurations to make the routers more efficient.
Please, let me know if you still have trouble after making this change.
Levi
