I have configured the Cisco VPN3005s before. However I have come across a problem that I cannot resolve. In this situation the VPN client cannot ping to any devices on the private side of the VPN. The client when VPN in show the secured route to the private side. The VPN can ping from Admin panel to all devices on the private side. I have set and tried several options on the 'Client Configuration' for the Group changing the tunnel network to no avail. It is usually set to tunnel only the specific private network list. I have defined the private network on the network list for that group. Did I miss anything ? Do you set up the static route on the external router pointing to the private network pointing to the VPN public interface ? In the past this would work. However there is also a firewall with two of its many interfaces connecting the same public and private networks and the external router on the public has a static route statement pointing to the firewall interface for the private network. Does this still mean the problem is with the tunnel network not defined properly if a client when vpn in cannot see any device on the private (except the private VPN interface) but the vpn itself can see all of them ? Where else the private network can be configured for the VPN client to know ? Is it always a good practice not to define the tunnel network outside of the VPN itself ? Thanks.