access list are put in, but i still cannot get out.

if i dont put a static route n the 515, how will it know how to route all packets for 10.4.194 though the vpn to 10.7.0.0 then over to 10.4.194???

as for why the pings succed from the 10.7.0.0 network, i do not know.

the static route on the linksys is 10.6.0.0 255.255.0.0 gateway 10.7.1.6 LAN

(the 10.4.194.0 is on the wan side and 10.7.1.6 is the LAN side)

The 515E knows it has to send the packets for 10.4.194.0 through the VPN tunnel because of the crypto access-list which tells the pix which traffic to encrypt.

If you can ping the 10.4.194.x server from the 10.7.1.x network then you can NAT all the incoming 10.6.x.x address to the inside interface address of your 501 pix.

So lets say your pix inside interface is 10.7.1.5

nat (outside) 3 10.6.0.0 255.255.0.0 outside

global (inside) 3 interface

This will NAT all 10.6.x.x addresses to 10.7.1.5. If you can ping the server from the 501 pix this will at least allow you to route to and from the server.

Note the number 3 in the above nat and global statements. It does not have to be 3, just any number that you are using on the firewall for NAT already.

Are you sure that the VPN is actually coming up ?

Jon

the PAT broke connections to teh servers on 10.6.0.0 the vpn between 10.7.0.0 and 10.6.0.0

That VPN is up.

i still dont understand how the 10.6 doesnt need a static route, as there is no vpn between 10.4.194 and 10.6

there are multiple vpn tunnels (10.2.0.0/16 / 10.3.0.0/16 / 10.4.0.0/17 ) how would it know which to route packets to 10.4.194.0 to?

like i stated before, i nated 10.6.0.3 outside 10.7.1.90 inside, and that address i can ping form the 10.4.194 network, but i canot hit the 10.6.0.3 by itself.

i was reading elsewhere that this cannot even be done because the ipsec traffic will not go futher than the termination point exact words quoted below

"it seems the standard IPSEC protocol specifies that only packets destined for the subnet immediate at the end of the tunnel will be encoded and sent through the VPN tunnel"

is this correct???

Hi

"it seems the standard IPSEC protocol specifies that only packets destined for the subnet immediate at the end of the tunnel will be encoded and sent through the VPN tunnel"

No this is absolutely not true. If it was IPSEC would be almost useless.

"i still dont understand how the 10.6 doesnt need a static route, as there is no vpn between 10.4.194 and 10.6"

There does not have to be. The site-to-site VPN is setup between your PIX 515E and your 501. You can pass any number of subnets down this tunnel. You define the subnets allowed down the VPN tunnel in your crypto map access-list (see previous post)

"there are multiple vpn tunnels (10.2.0.0/16 / 10.3.0.0/16 / 10.4.0.0/17 ) how would it know which to route packets to 10.4.194.0 to"

See previous answer ie. the crypto map access-list.

"the PAT broke connections to teh servers on 10.6.0.0 the vpn between 10.7.0.0 and 10.6.0.0

That VPN is up"

Okay, not sure why. Could you send full configs of both 515E and 501 minus any sensitive info.

Can you confirm that from the 501 you can ping the server on the 10.4.194.0 network ?

Jon

yes i can ping 10.4.194.194 from 10.7.1.1

confings are attached

thanks for all your help so far, i really appreciate it