What you'll want to do on the 170 is configure it in transparent mode. This will disable NAT passing IPSEC to the 210 without altering the packets. I've included a doc that walks through the steps for a DMZ, but the principle is the same.
Why not put the 210 in place of the PIX?