logical interface on PIX 506e

what type of leased line?  will you be running vpn over it? is it a point to point line,etc?

the router port wouldn't necessarily need to be trunk would it; unless I'm misunderstanding what is being said.  It could just be configured to access mode for the correct vlan tag.  However I believe then the router would have to be configured for that vlan as well otherwise the traffic coming from the leased line would essentially be lost because it wouldn't match up with the vlan the pix is using for that network.

Irmoore:
I did like you wrote. Now I am getting in the PIX log:
access-list 102 denied tcp inside/10.157.14.54(8361) -> dmz1/10.157.12.1(23)
Access-list 102 is on the inside, and 10.157.14.54 is the IP allowed to telnet the network 10.157.12.0

I added to access-list 102 a rule to permit the required protocols from 10.157.14.0 to 10.157.12.0.
Although I cannot still connect by telnet to 10.157.12.1, the PIX log shows:
Built outbound TCP connection 300670 for dmz1:10.157.12.1/23 (10.157.12.1/23) to inside:10.157.14.54/3087 (10.157.14.54/3087)

And after a few seconds:
Teardown TCP connection 305364 for dmz1:10.157.12.1/23 to inside:10.157.14.54/3109 duration 0:02:01 bytes 0 SYN Timeout

I tried connecting my computer with IP 10.157.12.2 and it connected to the router (10.157.12.1), but could not make connection to PIX.

Post your complete config

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz1 security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.157.14.55 mail_server
name 10.157.14.62 intranet_server
name 10.157.13.0 CRO
name 10.157.14.0 ALX
name 10.157.1.0 CRLCRO
name 10.157.14.50 internet_server
access-list 101 permit ip CRO 255.255.255.0 ALX 255.255.255.0
access-list 101 permit ip host 10.134.35.59 ALX 255.255.255.0
access-list 101 permit ip host 10.2.133.50 ALX 255.255.255.0
access-list 101 permit tcp CRLCRO 255.255.255.0 host intranet_server eq www
access-list 101 permit tcp any host a.b.c.d eq smtp
access-list 101 permit tcp any host a.b.c.d eq https
access-list 101 permit tcp any host a.b.c.d eq www
access-list 101 permit udp any any eq 4500
access-list 101 permit esp any any
access-list 101 permit udp any any eq 1701
access-list 101 permit ah any any
access-list 101 deny icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit ip host a.b.c.d any
access-list 101 deny ip any any log
access-list 102 deny tcp any any eq 2745
access-list 102 deny tcp any any eq 4751
access-list 102 deny tcp any any eq 6667
access-list 102 permit ip ALX 255.255.255.0 CRO 255.255.255.0
access-list 102 permit ip host intranet_server CRLCRO 255.255.255.0
access-list 102 permit ip ALX 255.255.255.0 10.157.12.0 255.255.255.0
access-list 102 permit ip ALX 255.255.255.0 host 167.136.35.64
access-list 102 permit ip ALX 255.255.255.0 host 10.134.35.59
access-list 102 permit ip host mail_server host 10.2.133.50
access-list 102 permit ip host mail_server any
access-list 102 permit ip host internet_server any
access-list 102 permit ip host 10.157.14.5 any
access-list 102 deny ip any any log
access-list inside_nat0 permit ip ALX 255.255.255.0 host 10.134.35.59
access-list inside_nat0 permit ip ALX 255.255.255.0 host 10.2.133.50
access-list inside_nat0 permit ip host intranet_server CRLCRO 255.255.255.0
access-list inside_nat0 permit ip host intranet_server ALX 255.255.255.192
access-list inside_nat0 permit ip host mail_server ALX 255.255.255.192
access-list inside_nat0 permit ip ALX 255.255.255.0 CRO 255.255.255.0
access-list inside_nat0 permit ip ALX 255.255.255.0 192.168.222.0 255.255.255.192
access-list dmz-in permit ip 10.157.12.0 255.255.255.0 host 10.157.14.54
access-list dmz_in permit tcp 10.157.12.0 255.255.255.0 host 10.157.14.54 eq smtp
access-list dmz_in permit tcp 10.157.12.0 255.255.255.0 host 10.157.14.54 eq www
access-list dmz_in permit tcp 10.157.12.0 255.255.255.0 host 10.157.14.54 eq telnet
access-list dmz_in deny ip 10.157.12.0 255.255.255.0 ALX 255.255.255.0
access-list dmz_in permit ip any any
pager lines 24
logging on
logging console debugging
logging trap debugging
logging host inside intranet_server
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside a.b.c.d 255.255.255.0
ip address inside 10.157.14.5 255.255.255.0
ip address dmz1 10.157.12.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ALX 10.157.14.30-10.157.14.40
ip local pool CRO 192.168.222.1-192.168.222.40
arp timeout 14400
global (outside) 1 a.b.c.d
global (inside) 1 10.157.14.2-10.157.14.4
nat (inside) 0 access-list inside_nat0
nat (inside) 1 ALX 255.255.255.0 0 0
static (inside,outside) a.b.c.d mail_server netmask 255.255.255.255 0 0
static (inside,dmz1) ALX ALX netmask 255.255.255.0 0 0
access-group 101 in interface outside
access-group 102 in interface inside
access-group dmz_in in interface dmz1
route outside 0.0.0.0 0.0.0.0 ALX_router 1
timeout xlate 3:00:00
timeout conn 3:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http ALX 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
....

Your inside acl 102 does not permit traffic from ALX to 10.157.12.0
add
 no access-list 120 deny ip any any log
 access-list 120 permit ip host 10.157.14.54 10.157.12.0 255.255.255.0
 access-list 120 deny ip any any log

Since you have the log keyword, you can look at your logs and see that this traffic was being denied.

this line:
access-list 102 permit ip ALX 255.255.255.0 10.157.12.0 255.255.255.0
Allows ip from ALX (10.157.14.0) to 10.157.12.0

OK, I missed that.
Do you get any hitcounters on that access-list rule? Use show access-list

>I tried connecting my computer with IP 10.157.12.2 and it connected to the router (10.157.12.1), but could not make connection to PIX.

I'm confused. How did you connect to 12.1 if you were trying to connect to 12.2? If you have a router in the DMZ that you are trying to telnet to, what is its routing set for? Does it have a route back to the PIX for ALX subnet?
 ip route 10.157.14.0 255.255.255.0 10.157.2.5  

For testing purpose I gave my computer the IP 10.157.12.2 and connected directly to the switch were both the PIX and the router (10.157.12.1) are connected. I was able to telnet the router, but could not make any connection to the PIX.
The router is used to connect a leased line to another branch, and yes there is a route back on the router.
Hope that make things clear.

What did you give your computer as a default gateway?
By default you cannot telnet to the PIX unless you add that host
telnet 10.157.12.2 255.255.255.255 dmz1

You never addressed the question of the whether or not the switch is properly configured with VLAN's and the port connecting to the PIX is a trunk port.

I gave it 10.157.12.1
I don't know about trunking, but the switch supports VLANs.
The PIX and the router are connected to the same switch (3Com 4950), both the interfaces of the router are working (one is physical - primary) and the second is logical (secondary), so it is only one port having 2 IPs.

Is there a difference between a router and a PIX having 2 IP on one physical interface?
I mean if the router's 2 IP are working, should the PIX work as well?

NO.
There is a huge difference between vlan tagged sub interfaces and secondary IP addresses on an interface. You cannot put a secondary IP on the PIX like you can a router.

It looks like a switch issue then.
Do you know how to setup the 3Com 4950 switch for trunck port?

I saw on EE a posting that uses:
interface ethernet1 vlan2 physical
interface ethernet1 vlan3 logical
...
Would that solve the problem?

Yes, it is a switch problem, as I spoke about in my very first post above.
Unless you have defined vlan2 and vlan3 on the switch and vlan2 is untagged (native), that PIX configuration will not solve your problem.
What you have will work if you get the switch configured correctly.

No, I don't know anything about how to setup the 3com switch.

My last question:
what is the different between:
interface ethernet1 vlan2 logical (alone)
and
interface ethernet1 vlan2 physical
interface ethernet1 vlan3 logical
I download a SW from 3Com (network Director) to make the VLANs on the switch.

Irmoore:
Thanks a lot for your help.
I managed to make the VLANs on the switch using the mentioned software and it worked fine.

I am facing another problem that I will post in a different question.
VPN clients are not able to connect!