From: unnar@cox.net   
      
   Do you have a line in your PIX that says "sysopt connection permit ipsec"?   
      
   If so you need to remove it and just specify in your inbound access-list   
   what you want the network behind pix2 to access, ie.   
      
   access-list 100 permit tcp 172.30.1.0 255.255.255.0 host 192.168.1.a eq xxx   
   access-list 100 permit tcp 172.30.1.0 255.255.255.0 host 192.168.1.b eq xxx   
   access-list 100 permit tcp 172.30.1.0 255.255.255.0 host 192.168.1.c eq xxx   
      
   As long as you know what port numbers the remote site needs to access, it   
   should be a piece of cake.   
      
   sysopt connection permit ipsec, basically tells the pix to ignore filters   
   when the traffic is coming over a VPN connection..   
      
   Hope this helps   
      
   Unnar   
      
   "Martin Eden"  wrote in message   
   news:UhQMb.247436$vO5.10245896@twister1.libero.it...   
   > I have 2 pix   
   > pix1   
   > pix2   
   > i have created a vpn pix to pix   
   > now on pix1 i want to put some acl that limit   
   > the access from pix2 versus pix1 lan   
   >   
   > In other words   
   > the entire lan behind pix2 must have access only to 3 clients on pix1 lan   
   >   
   > I don't have the access to pix2 because it isn't mine   
   >   
   > What can I do?   
   >   
   > pix1 lan 192.168.1.0 255.255.255.0   
   > pix2 lan 172.30.1.0 255.255.255.0   
   >   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)