CISCO VPN CANNOT PING LOCAL LAN

Added the line but still cant ping an address like 192.168.1.10

Also, the way you have ACL 111 applied to the outside interface is incorrect.  This ACL will never match any traffic because you will not see traffic sourced from 192.168.1.0/24 coming into the outside interface.  An ACL applied to the public interface of the PIX should reference source traffic that is external to the network, like publicly routable Internet addresses and not private class (RFC 1918) addresses.

You should be able to take that ACL off of the interface with no effective change in the traffic flow of the PIX.

removed acl appied to the interface and applied
nat (inside) 0 access-list 111
isakmp nat-traversal

Still cant reach
Any other ideas

Repost current config and let's have a look...

User Access Verification

Password:
Password:
Type help or '?' for a list of available commands.
pixfirewall> en
Password: *******
pixfirewall# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security90
enable password ksEF4bQaO23Ua0n0 encrypted
passwd b9KON.wb4AVvooqc encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns
fixup protocol ftp 21
fixup protocol ftp 2010
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8100
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
name 193.109.81.33 blackberry
name 192.168.8.11 BES_SERVER
object-group network smtp-hosts
  network-object host BES_SERVER

access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 111 permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpnr3mote_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any
access-list outbound permit tcp object-group smtp-hosts host blackberry eq 3101
access-list no_nat permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.1.xxx.2 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.200.1-192.168.200.10
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.2.0 255.255.255.0 inside
pdm location 192.168.3.0 255.255.255.0 inside
pdm location 192.168.4.0 255.255.255.0 inside
pdm location 192.168.200.0 255.255.255.0 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 192.168.200.0 255.255.255.0 outside
pdm location 192.168.1.254 255.255.255.255 inside
pdm location 192.168.5.0 255.255.255.0 inside
pdm location 192.168.9.0 255.255.255.0 inside
pdm location 192.168.10.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 xxx.1.xxx.3
global (outside) 2 xxx.1.xxx.4
global (outside) 3 xxx.1.xxx.5
global (outside) 4 xxx.1.xxx.6
global (outside) 5 xxx.1.xxx.7
global (outside) 7 xxx.1.xxx.9
nat (inside) 0 access-list 111
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 2 192.168.2.0 255.255.255.0 0 0
nat (inside) 3 192.168.3.0 255.255.255.0 0 0
nat (inside) 4 192.168.4.0 255.255.255.0 0 0
nat (inside) 5 192.168.5.0 255.255.255.0 0 0
nat (inside) 1 192.168.6.0 255.255.255.0 0 0
nat (inside) 1 192.168.7.0 255.255.255.0 0 0
nat (inside) 1 192.168.8.0 255.255.255.0 0 0
nat (inside) 7 192.168.9.0 255.255.255.0 0 0
nat (inside) 7 192.168.10.0 255.255.255.0 0 0
nat (inside) 7 192.168.200.0 255.255.255.0 0 0
static (inside,outside) xxx.1.xxx.12 192.168.1.8 netmask 255.255.255.255 0 0
static (inside,outside) xxx.1.xxx.14 192.168.8.7 netmask 255.255.255.255 0 0
static (inside,outside) xxx.1.xxx.13 192.168.1.182 netmask 255.255.255.255 0 0
static (inside,outside) xxx.1.xxx.10 192.168.1.101 netmask 255.255.255.255 0 0
static (inside,outside) xxx.1.xxx.8 192.168.1.121 netmask 255.255.255.255 0 0
access-group 111 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.1.xxx.1 1
route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
route inside 192.168.2.0 255.255.255.0 192.168.1.2 1
route inside 192.168.3.0 255.255.255.0 192.168.1.2 1
route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
route inside 192.168.5.0 255.255.255.0 192.168.1.2 1
route inside 192.168.6.0 255.255.255.0 192.168.1.2 1
route inside 192.168.7.0 255.255.255.0 192.168.1.2 1
route inside 192.168.8.0 255.255.255.0 192.168.1.2 1
route inside 192.168.9.0 255.255.255.0 192.168.1.2 1
route inside 192.168.10.0 255.255.255.0 192.168.1.2 1
route inside 192.168.200.0 255.255.255.0 192.168.1.2 1
route inside 192.168.254.0 255.255.255.0 192.168.1.2 1
timeout xlate 0:10:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 10:00:00
timeout h323 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1200
crypto ipsec transform-set newset esp-aes esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set newset
crypto map newmap 10 ipsec-isakmp dynamic dynmap
crypto map newmap client configuration address initiate
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnr3mote address-pool ippool
vpngroup vpnr3mote dns-server 192.168.6.182
vpngroup vpnr3mote split-tunnel vpnr3mote_splitTunnelAcl
vpngroup vpnr3mote idle-time 1800
vpngroup vpnr3mote password ********
vpngroup groupmarketing idle-time 1800
telnet 192.168.1.2 255.255.255.255 inside
telnet 192.168.200.1 255.255.255.255 inside
telnet 192.168.200.2 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:c4e214b5bd19932dbda2722189426d80
: end
pixfirewall#

I added line in the cisco 3600 router and i can now ping all addresses in the 192.168.1.0
ip route 192.168.200.0 255.255.255.0 192.168.1.1

I still cannot ping other remote sites like 192.168.5.0
Any suggestions

Need to verify that the routing from the 192.168.5.0 network makes it back to the PIX for traffic going to the VPN addresses at 192.168.200.0.

Do the hosts on 192.168.5.0 point to the same 3600 router for their default gateway?

What does the routing table on the 3600 router look like?  Can you post the output of the "sh ip route" command from that router?

C
****************************************************************
**                   ~~~!!!WARNING!!!~~~                      **
****************************************************************
*                                                              *
*         UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED           *
*                                                              *
****************************************************************

User Access Verification

3600#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C    192.168.8.0/24 is directly connected, FastEthernet0/0
S    192.168.9.0/24 is directly connected, Tunnel4
S    192.168.10.0/24 is directly connected, Tunnel3
S    192.168.200.0/24 [1/0] via 192.168.1.1
O E2 192.168.4.0/24 [110/20] via 192.168.0.10, 1d18h, Serial0/0.3
                    [110/20] via 192.168.0.18, 1d18h, Serial0/0.5
S    192.168.5.0/24 is directly connected, Tunnel0
C    192.168.6.0/24 is directly connected, FastEthernet0/0
C    131.1.0.0/16 is directly connected, Tunnel0
C    131.2.0.0/16 is directly connected, Tunnel2
C    131.3.0.0/16 is directly connected, Tunnel1
C    131.5.0.0/16 is directly connected, Tunnel3
C    131.6.0.0/16 is directly connected, Tunnel4
C    192.168.7.0/24 is directly connected, FastEthernet0/0
C    132.1.0.0/16 is directly connected, Ethernet2/0
     192.168.0.0/30 is subnetted, 4 subnets
C       192.168.0.8 is directly connected, Serial0/0.3
C       192.168.0.12 is directly connected, Serial0/0.4
C       192.168.0.4 is directly connected, Serial0/0.2
C       192.168.0.16 is directly connected, Serial0/0.5
C    192.168.1.0/24 is directly connected, FastEthernet0/0
S    192.168.2.0/24 is directly connected, Tunnel2
S    192.168.3.0/24 is directly connected, Tunnel1
S*   0.0.0.0/0 [1/0] via 192.168.1.1

While a VPN client is connected, can you ping that client from the 3600 router?  In other words, if you received IP address 192.168.200.1 from the firewall, could you ping that address from the router?

Yes
From my 3600 (192.168.1.2) router i can ping 192.168.200.1

What does the output of a "tracert 192.168.200.1" look like from a 192.168.5.x host that you can't ping?

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\am>tracert 192.168.200.1

Tracing route to 192.168.200.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.5.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *

I noticed that the 192.168.5.0/24 network has a route via a Tunnel0 interface on the 3600 router.  What type of device is on the other side of that tunnel connection?  Is it another Cisco router?  If so, what does its routing table look like?

CC
****************************************************************
**                   ~~~!!!WARNING!!!~~~                      **
****************************************************************
*                                                              *
*         UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED           *
*                                                              *
****************************************************************

User Access Verification

Password:
CISCO 1751>en
Password:
CISCO 1751#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

O E2 192.168.8.0/24 [110/20] via 192.168.0.13, 5d12h, Serial0/0.1
O E2 192.168.9.0/24 [110/20] via 192.168.0.13, 3d11h, Serial0/0.1
O E2 192.168.10.0/24 [110/20] via 192.168.0.13, 3d11h, Serial0/0.1
O E2 192.168.4.0/24 [110/20] via 192.168.0.13, 5d12h, Serial0/0.1
C    192.168.5.0/24 is directly connected, FastEthernet0/0
O E2 192.168.6.0/24 [110/20] via 192.168.0.13, 5d12h, Serial0/0.1
     131.1.0.0/16 is variably subnetted, 2 subnets, 2 masks
O E2    131.1.0.0/16 [110/20] via 192.168.0.13, 5d12h, Serial0/0.1
C       131.1.1.0/24 is directly connected, Tunnel0
O E2 131.2.0.0/16 [110/20] via 192.168.0.13, 5d12h, Serial0/0.1
O E2 131.3.0.0/16 [110/20] via 192.168.0.13, 06:37:13, Serial0/0.1
O E2 131.5.0.0/16 [110/20] via 192.168.0.13, 3d11h, Serial0/0.1
O E2 131.6.0.0/16 [110/20] via 192.168.0.13, 3d11h, Serial0/0.1
O E2 192.168.7.0/24 [110/20] via 192.168.0.13, 5d12h, Serial0/0.1
C    132.1.0.0/16 is directly connected, Ethernet1/0
     192.168.0.0/30 is subnetted, 4 subnets
O IA    192.168.0.8 [110/128] via 192.168.0.13, 5d12h, Serial0/0.1
C       192.168.0.12 is directly connected, Serial0/0.1
O IA    192.168.0.4 [110/128] via 192.168.0.13, 5d12h, Serial0/0.1
O IA    192.168.0.16 [110/128] via 192.168.0.13, 5d12h, Serial0/0.1
S    192.168.1.0/24 is directly connected, Tunnel0
O E2 192.168.2.0/24 [110/20] via 192.168.0.13, 5d12h, Serial0/0.1
O E2 192.168.3.0/24 [110/20] via 192.168.0.13, 06:37:37, Serial0/0.1
S*   0.0.0.0/0 is directly connected, Tunnel0

Take out the following statement in the PIX:

route inside 192.168.200.0 255.255.255.0 192.168.1.2

Issue the "no" form of the command to remove it, like so:

no route inside 192.168.200.0 255.255.255.0 192.168.1.2

Removed
Should that help?

Establish a new VPN connection and try pinging and let's see.  What I was thinking is that traffic could possibly be bouncing back and forth between the PIX inside interface and the 3600 router interface at 192.168.1.2.

it  doesnt work

I wonder if i would have to add routes on the Cisco 1751 (192.168.5.1) to reach 192.168.200.0

I wouldn't think so since your default route points to Tunnel0, which is the 3600 router.  However, you can try it and see if you would like.  If it doesn't help, you can take it back out.

It doesnt work

You were right about that

Can you ping a 192.168.1.1 from 192.168.5.1?

no i cant

HELP PLEASE ANYONE

hi,
please draw a quick sheme of your network.
if you have multiple cisco devices, please post current configs here also

Main Router connected to the PIX
Hall#sh run
Building configuration...

Current configuration : 5273 bytes
!
! Last configuration change at 05:41:38 Caracas Thu Jan 31 2008
! NVRAM config last updated at 14:12:39 Caracas Mon Jan 21 2008 by cisco
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Hall_Of_Justice
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$.CJ0$39PgRtdwbqIPLi9.psI6R0
!
clock timezone Caracas -4
voice-card 3
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller T1 3/0
 framing sf
 linecode ami
!
!
!
!
!
interface Tunnel0
 description Tunnel to San Fernando
 ip address 131.1.1.1 255.255.0.0
 keepalive 100 3
 tunnel source Ethernet2/0
 tunnel destination 132.1.1.4
!
interface Tunnel1
 description Tunnel to Family
 ip address 131.3.1.1 255.255.0.0
 keepalive 100 3
 tunnel source Ethernet2/0
 tunnel destination 132.1.1.3
!
interface Tunnel2
 description Tunnel to Magistrate Court
 ip address 131.2.1.1 255.255.0.0
 keepalive 100 3
 tunnel source Ethernet2/0
 tunnel destination 132.1.1.2
!
interface Tunnel3
 description Tunnel to Arima
 ip address 131.5.1.1 255.255.0.0
 keepalive 100 3
 tunnel source Ethernet2/0
 tunnel destination 132.1.1.5
!
interface Tunnel4
 description Tunnel to Sangre Grande
 ip address 131.6.1.1 255.255.0.0
 keepalive 100 3
 tunnel source Ethernet2/0
 tunnel destination 132.1.1.6
!
interface FastEthernet0/0
 description Hall of Justice LAN
 ip address 192.168.7.1 255.255.255.0 secondary
 ip address 192.168.6.1 255.255.255.0 secondary
 ip address 192.168.8.254 255.255.255.0 secondary
 ip address 192.168.1.2 255.255.255.0
 ip ospf priority 255
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 no cdp enable

!
interface Ethernet2/0
 description Fibre Link to all Court Locations
 ip address 132.1.1.1 255.255.0.0
 full-duplex
!
interface Ethernet2/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet2/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet2/3
 no ip address
 shutdown
 half-duplex
!
router ospf 100
 router-id 192.168.1.2
 log-adjacency-changes
 redistribute connected
 redistribute static
 network 192.168.0.0 0.0.0.3 area 200
 network 192.168.0.4 0.0.0.3 area 201
 network 192.168.0.8 0.0.0.3 area 202
 network 192.168.0.12 0.0.0.3 area 203
 network 192.168.0.16 0.0.0.3 area 204
 network 192.168.1.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.2.0 255.255.255.0 Tunnel2
ip route 192.168.3.0 255.255.255.0 Tunnel1
ip route 192.168.5.0 255.255.255.0 Tunnel0
ip route 192.168.9.0 255.255.255.0 Tunnel4
ip route 192.168.10.0 255.255.255.0 Tunnel3
ip route 192.168.200.0 255.255.255.0 192.168.1.1
!
!
!
map-class frame-relay HI
 frame-relay interface-queue priority high
!
map-class frame-relay NORM
!
map-class frame-relay MED
 frame-relay interface-queue priority medium
!
map-class frame-relay LOW
 frame-relay interface-queue priority low
!
snmp-server community hoj2246 RO
snmp-server enable traps tty
bridge 1 protocol ieee
!
!
!
!
!
!
banner motd ^CC
****************************************************************
**                   ~~~!!!WARNING!!!~~~                      **
****************************************************************
*                                                              *
*         UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED           *
*                                                              *
****************************************************************^C
!
line con 0
line 33 48
line aux 0
 password 7 000D110B07530A080824411D
 login local
 modem InOut
 transport input all
 autoselect during-login
 stopbits 1
 speed 38400
 flowcontrol hardware
line vty 0 4
 password 7 141E10060F0C2B25232D3E66
 login
!
!
!
end

Hall#

Router at another Location
ip Scheme 192.168.10.0
If I can reach this i think i can do the rest

Arima#sh run
Building configuration...

Current configuration : 1825 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Arima
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$DMWU$FNFT9.X9Fk.K3YHft3kwH/
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name yourdomain.com
!
username arima privilege 15 secret 5 $1$Lt/c$qmnerxDbJi/pWezi93dpM.
!
!
!
interface Tunnel3
 description Tunnel to Hall
 ip address 131.5.1.2 255.255.0.0
 keepalive 100 3
 tunnel source FastEthernet0/1
 tunnel destination 132.1.1.1
!
interface FastEthernet0/0
 description Arima LAN$ETH-LAN$
 ip address 192.168.10.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Fibre Link to Hall $ETH-WAN$
 ip address 132.1.1.5 255.255.0.0
 speed auto
 full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 Tunnel3
ip route 192.168.1.0 255.255.255.0 Tunnel3
!
no ip http server
!
!
control-plane
!
banner motd ^CCC
****************************************************************
**                   ~~~!!!WARNING!!!~~~                      **
****************************************************************
*                                                              *
*         UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED           *
*                                                              *
****************************************************************^C
!
line con 0
 password 7 105E0A1D53474B5B
 login local
line aux 0
 password 7 12090613445B5554
line vty 0 4
 password 7 00141002520B5256
 login
 transport input telnet
line vty 5 15
 password 7 131514165D5C5D7A
 login local
 transport input telnet
!
end

Arima#

ip route 192.168.200.0 255.255.255.0 192.168.1.1

Is already added to hall
should i add it to arima
Default gateway at Hall is 192.168.1.2
Default gateway at Arima is 192.168.10.1

on the arima you can configure, that 200.0 network is behind hall - 131.5.1.1

i suppose from the client vpn tunnel with ip from 200.x network you should be able to ping 192.168.1.1 and 1.2 at least

yes i could ping 192.168.1.1 and 1.2 and everything in the 192.168.1.0

IM not sure what you are saying about the arima .............How do i go about this?

ok if you can ping 192.168.1.0 network, then i haven't got your question "CISCO VPN CANNOT PING LOCAL LAN" right. what is wrong?

Previous Post
I added line in the cisco 3600 (Hall) router and i can now ping all addresses in the 192.168.1.0
ip route 192.168.200.0 255.255.255.0 192.168.1.1

I still cannot ping other remote sites like 192.168.5.0 and 192.168.10.0
Any suggestions

do i add this in HALL router or Arima Router

in arima.
so this is done to point arima that network 200.0 is behind hall

Still nothing

should anything Routes be added to the Hall router

please provide tracert -d 192.168.10.10 output from vpn client computer.
hall already knows about all networks

on pix remove route ip route 192.168.200.0 255.255.255.0 192.168.1.1
with:
no ip route 192.168.200.0 255.255.255.0 192.168.1.1

because network 200.0 lives on pix (1.2) not on hall (1.2)

1.1 is the PIX
1.2 is the Router (HALL)

So i removed (ip route 192.168.200.0 255.255.255.0 192.168.1.1) on Router (Hall)
Thanks for all the explaination as well . Its helping me to understand as well
Whats Next?

hm, yes, I do admit, my mistake.
on hall you should have route:
ip route 192.168.200.0 255.255.255.0 192.168.1.1 - because hall should know where 200.0 network is.

so basically each router should understand where 200.0 network is.
if we have network like this:

-r1----r2----r3--200.0 network
then we have to point r1, that 200.0 network is behind r2; r2 should know also that 200.0 is behind r3.

have you added route to arima? can you provide trace from vpn client to arima's network?
tracert -d 192.168.10.10 -- i want to see the output

have you added route to arima? What route?
C:\Users\Anthony>tracert -d 192.168.10.1

Tracing route to 192.168.10.1 over a maximum of 30 hops

  1   487 ms   169 ms   307 ms  192.168.171.96
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *     ^C
C:\Users\Anthony>

"nice!
to ping from remote sites:
for example on arima:
conf t
ip route 192.168.200.0 255.255.255.0 131.5.1.1 <--so it's ip address of hall in appropriate tunnel"

what 192.168.171.96 network is?

thats when i do  tracert from the 200.0 network it goes to 192.168.171.96

i added ip route 192.168.200.0 255.255.255.0 131.5.1.1 to the Arima Router
Still no luck.......

i understand, that it goes to 192.168.171.96, but where is it? on which of your cisco routers?

here is how i start the vpn

I connect to the internet.................then i run cisco vpn client and connect to my Pix then im connected to my Network and my Computer gets Ip address 192.168.200.2
So i cant really say where that address is comming from

Added and rechecked everything still cant ping
Untitled.jpg

give me, traces, from there, please!
they will show me where to look at

All your configs was correct
but i needed to restart my cisco pix after i make any change....... I dont know why its like that.
I can now ping all locations ......Thank You