I need a third eye here. My RAS IPSec VPN configuration is working, EXCEPT for two little problems which I need help spotting: 1. Some RAS clients at different locations are unable to ping the LAN interface IP of the router. I can't tell/figure out why. Some do. 2. Should a RAS client be able to connect (via telnet/ssh) to the router's LAN IP? Why not? CONFIG: ! ! Last configuration change at 10:02:45 UTC Thu Mar 16 2017 by wash ! version 15.6 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname homerouter ! boot-start-marker boot-end-marker ! ! enable secret 5 $1$7WMZ$9Z9csyxr5mdhfCJhnLVzM. ! no aaa new-model ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.1.250 192.168.1.254 ! ip dhcp pool MAIN network 192.168.1.0 255.255.255.0 default-router 192.168.1.140 dns-server 8.8.8.8 8.8.4.4 ! ! ! ip domain name www.bigdataharbour.com ip name-server 8.8.8.8 ip cef no ipv6 cef ! multilink bundle-name authenticated ! vpdn enable ! vpdn-group 1 ! ! ! license udi pid CISCO1941/K9 sn FCZ143693QZ ! ! username wash privilege 15 secret 5 $1$1kxuwi$ykNfKJu/vmO7w7aNLgaMk. ! redundancy ! ! ! ! ! controller VDSL 0/0/0 operating mode vdsl2 no cdp run ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 lifetime 3600 ! crypto isakmp client configuration group VPN_CLIENTS key BUFFALOTIGER_heheee dns 8.8.8.8 domain home.local pool VPN_CLIENT_POOL acl 110 ! ! crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac mode tunnel ! ! ! crypto dynamic-map EXT_DYNAMIC_MAP 10 set transform-set TRANS_3DES_SHA ! ! crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP crypto map EXT_MAP client configuration address respond crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1 ip address 192.168.1.140 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto no mop enabled ! interface ATM0/0/0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0/0/0 mtu 1508 no ip address ! interface Ethernet0/0/0.101 encapsulation dot1Q 101 ip tcp adjust-mss 1350 pppoe enable group global pppoe-client dial-pool-number 1 pppoe-client ppp-max-payload 1500 ! interface ATM0/1/0 no ip address shutdown no atm ilmi-keepalive ! interface Dialer1 ip address negotiated ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 ppp chap hostname 01923442778@talktalkbusiness.net ppp chap password 7 123F5736452C59347D11739 no cdp enable crypto map EXT_MAP ! ip local pool VPN_CLIENT_POOL 172.16.5.200 172.16.5.210 ip forward-protocol nd ! ip http server no ip http secure-server ! ip nat inside source list 1 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ip ssh version 2 ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr ! ip access-list extended NAT deny ip 192.168.1.0 0.0.0.255 172.16.5.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any permit ip any any ! dialer-list 1 protocol ip permit ! route-map NAT permit 10 match ip address NAT ! ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.5.0 0.0.0.255 ! control-plane ! ! ! line con 0 logging synchronous line aux 0 logging synchronous line 2 no activation-character no exec transport preferred none transport output telnet ssh stopbits 1 line vty 0 4 logging synchronous login local transport input ssh line vty 5 1370 logging synchronous login transport input ssh ! scheduler allocate 20000 1000 ! end -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."