Routing of all local networks are added . But what do you mean by filtering.

In WebVPN configuration filtering option is'inherit'.

You are not using webvpn are you? since you wrote VPN client I gather it is the cisco vpn client correct? what I mean is that the concentrator has filters bound to the interfaces, private public and external check those filters and what rules do those filters have to find out whether the traffic from those clients are allowed.

No filters are defined or applied. The VPN client traffic seems to be getting lost in the 3020. Can the 3020 decrypt a packet and then send it back out the same interface on which the encrypted packet arrived?

I have to say yes, it can since the concentrator can be defined as a hub for vpn traffic, in here I will ask you a question. Do the devices on the "outside" meaning on the public side of the concentrator know how to reach the vpn client? In other words do these devices have a route back to the concetrator to reach the vpn client's pool?

Yes...the server has a route back to the VPN client pool, with the next hop for that network pool being the 3020 public IP.

You can go ahead and create a filter with IP traffic and debug over that filter to check if packets are sent out and received back, as well you might want to check if there is any chance that a vpn tunnel might be catching this traffic instead.