in short i would like to say that . from spoke router ,i am able to ping hub lan ip .then after there is firwall inside where  our lan is working. my firewall is unreachable from spoke router . form my syamatic server (inside my lan ) i am able to ping spoke router lan ip .  

 I am working in a HeadOffice  of an organisation. having HUB-SPOKE network topology having several branches in remote area. MPLS VPN Link is given by the ISP. . i have put on symatice server inside the organisation having different lan ip address . series is 10.1.x.x  (my lan ip series)where as on HUB (headoffice vpn router)lan ip address is 10.240.x.x and remote branches  address is 10.240.y.y   . i'm able to ping the branches ip address and also symantic server ip address 10.1.x.x from hub router. but i'm unable to ping form branches router.  when i trace it .it come to my hub router lan after that it die. there is firewall after that having ip address 10.240.x.(x+1) and lan ip address is 10.1.x.x .  please guide me .how i can make my symantic server able to ping from branches.since my symentic server is pinging to hub lan ip address and spoke lan ip also by pass the firewall.Plz reply .thankx in advance. if there is issue in firwall than reply me what i should do on it.as my 10.1.x.x is passing it. i'm need ur help to over come this issue. thanx.

i am sure the problem in your firewall, because you can ping from server to branches but they cannot , it is the default firewall behavior, from lower security level to high not allowed but higher to low is allowed.

see the diagram, is it , or any modification 

if possible then post the hub router and firewall config

HTH

syed

firewall is fortigate600c . if i ping form my spoke router using command to my server gateway by typing "ping 10.1.x.x  -i 10.240.x.x " that is successfull. 10.240.x.x is my branches ip address.

plz guide me ..