I am having a very strange problem, I hope someone can offer insight. I have a cisco 3845 w/IOS ver ipbase-12.4(2)XA which is directly connected to my ISP. Behind the router I have a vpn concentrator. I am having a problem passing ESP traffic over established LAN-to-LAN tunnels. I can initiate the tunnel from the concentrator and confirm that the tunnel completes phase II, however, when i try to ping the host on the other side i don't recieve any replies. The customer swears he sees the encrypted replies being sent to me, I put a sniffer on the public interface of the concentrator and don't see any ESP packets coming back from him (only the pings going out), I also sniffed the inside interface of the router and don't see his reply ESP packets. When I do a "show ip cache flow" I see that his return packets are hitting the external face of the router, but for some reason they never pass the router to the inside interface and onto the concentrator. The router is somehow dropping them. I have an acl on the external interface of the router, however, i confirmed that i am not blocking anything from this host (the other side of the VPN connection). I also went as far as putting a permit statement at the top of the ACL to allow all packets from this host. Still no luck. I am completely stumped by this prob, if anyone has any ideas please let me know. Thanks.