Hi dlazure,
Looking at your 3448B configuration, I don't think you need:
ip access-list extended Allow_IPSEC_IN
permit ip host 69.70.12.174 any
Incoming VPN connections will still be established via port 500 UDP as long as VPN is enabled. You may still need this ACL for other services, in which case you can leave it as is, or set up more specific ACLs to select relevant protocols and, or ports.
Under your 'Private' APC you can set stateless processing for VPN traffic:
!
ip policy-class Private
allow list VPN-10-vpn-selectors1 stateless
allow list self self
nat source list wizard-ics interface eth 0/1 overload
!
and under the 'Public' APC you can similarly set:
allow reverse list VPN-10-vpn-selectors stateless
!
ip policy-class Public
allow reverse list VPN-10-vpn-selectors1 stateless
allow reverse list VPN-10-vpn-selectors1 <==This seems to be a duplicate entry, which you should remove
allow list web-acl-3 self
allow list Allow_IPSEC_IN self <==This is not needed
allow list web-acl-4 self
!
Then try pinging from 3448B a host which is known to return ICMP packets within the LAN of 3448A, and see if you are getting responses. Then as Levi suggested, switch on debug for ICMP temporarily while you are pinging 3448A, if it still does not return pings.
Hope this helps.
--
Regards,
Mick
