Core issue
This scenario shows the IPsec tunnel configured between PIX Firewall-A and PIX-B:
LAN A --- PIX-A ---- Internet ---- PIX-B ---LAN B
During IPsec VPN testing, a ping from LAN A to LAN B works fine. But, a ping from LAN B to LAN A does not work.
Resolution
PIX-B imisses the sysopt connection permit-ipsec command. All inbound sessions must be explicitly permitted by an Access Control List (ACL) or a conduit. The sysopt connection permit-ipsec command is issued to permit all inbound IPsec authenticated cipher sessions.
In PIX version 7.x, the sysopt connection permit-ipsec and in ASA version 7.x, the sysopt connection permit-vpn command resolves the one way traffic issue.
This command is not displayed in the running configuration in version 7.x, unlike in version 6.x. Use the show running-config sysopt command in privileged EXEC mode to show the sysopt command configuration in the running configuration.
show running-config sysopt
Note: The sysopt connection permit-ipsec command is not be displayed in the output of the show running-config sysopt command on ASA version 7.x, but is displayed in PIX version 7.x. ASA only displays sysopt connection permit-vpn.
Refer to the Configurations section of Configuring a Simple PIX-to-PIX VPN Tunnel Using IPSec for more information.