Okay, I have a PIX 506E at my HQ. At the HQ we have 2 subnets, 192.168.5.0/24 and 192.168.2.0/24. We also have a remote site that is connected via an IPSec tunnel on a VPN 3000, 192.168.0.0/24. When remote users connect from the field, they connect via PPTP, and get assigned addresses from a local pool of 192.168.6.0/24. The remote users can access resources on 192.168.5.0/24 and 192.168.2.0.24. The remote site can access resources on both 192.168.5.0/24 and 192.168.2.0/24. The problem is, remote users need to access the remote site as well, but they cannot. Here is my config (10.x.y.z represents public network addresses):

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password MyEncryptedPassword encrypted

passwd MyEncryptedPassword encrypted

hostname pixfirewall

domain-name corporate.local

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list 120 permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 100 permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0

pager lines 24

logging on

logging standby

logging console emergencies

logging monitor emergencies

mtu outside 1500

mtu inside 1500

ip address outside w.x.y.130 255.255.255.128

ip address inside 192.168.5.6 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool remote 192.168.6.1-192.168.6.254

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 0 access-list 120

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 68.248.179.131 192.168.5.192 netmask 255.255.255.255 0 0

conduit permit tcp host 68.248.179.131 eq smtp any

conduit permit tcp host 68.248.179.131 eq www any

conduit permit tcp host 68.248.179.131 eq https any

conduit permit tcp host 68.248.179.131 eq ssh any

conduit permit tcp host 68.248.179.131 eq domain any

conduit permit udp host 68.248.179.131 eq domain any

route outside 0.0.0.0 0.0.0.0 w.x.y.129 1

route inside 192.168.2.0 255.255.255.0 192.168.5.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server radius-authport 1812

aaa-server radius-acctport 1813

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server sso protocol radius

aaa-server sso (inside) host 192.168.5.3 MySecretPhrase timeout 15

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ukset esp-3des esp-md5-hmac

crypto map ukmap 10 ipsec-isakmp

crypto map ukmap 10 match address 100

crypto map ukmap 10 set peer 10.1.1.210

crypto map ukmap 10 set transform-set ukset

crypto map ukmap interface outside

isakmp enable outside

isakmp key ******** address 10.1.1.210 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh 192.168.5.0 255.255.255.0 inside

ssh timeout 10

console timeout 0

vpdn group remote accept dialin pptp

vpdn group remote ppp authentication mschap

vpdn group remote ppp encryption mppe 40

vpdn group remote client configuration address local remote

vpdn group remote client configuration dns 192.168.5.194

vpdn group remote client authentication aaa sso

vpdn group remote pptp echo 60

vpdn enable outside

terminal width 80