Thanks. I have worded it out!

[Oh]

HI,
yizhar, slachance & sunyasee Thank you very much!

I worked it out. The problem is in our subnet there is a other cisco router which be set as all pcs defualt gateway, so when ping from branch to a pc in this net, so this why only one way traffic like
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
other side is
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

after I change the pc defualt gatetway to my PIX, it works well! just like the text book. So what we do is jsut add a routing entry in the Cisco router.
So I have one more question: If I don't change the config at router, may I config the PIX's inside port work like a router, just as if the package is the interesting traffic it will pass through the PIX to PIX tunnel, and if the package is point to an other subnet in inside, it will be send to the router.

Thanks again!

oh

 

[Oh]

And,
when we config our central office PIX work as VPN client access server, we not change any thing in our subnet and router, it also works. what 's the difference?

oh

 

[Oh]

And;
can you give me a solution without add a routing entry in the cisco router?
my net like this:
adsl router -- pix -- 172.28.16.0/16--3620(172.28.16.254)
-- 172.30.0.0/16
now all the default gateway in pcs and servers in our subnet is point to 172.28.16.254, and I only want the peer subnet(10.10.10.0) access some servers in our net, not all, and all pc and servers in our net no need to access the peer subnet.

thanks
oh