Are there ramifications of applying a Crypto Map (which involves creating an ACL for VPN traffic) and a seperate ACL to permit other specific traffic to the same interface? I was unable to get get my Security Associations to come up after implementing this config. Not shown below but I have created a static nat statement from an internal host to and outside address, for NT Terminal server access from terminal server clients. Addresses have been changed in this example to protect the innocen. Example: crypto map mymap 10 ipsec-isakmp set peer 10.10.10.1 set transform-set VPNC1 set pfs group2 match address VPNC interface FastEthernet0/0 decription Inside ip address 192.168.224.195 255.255.240.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto interface FastEthernet0/1 description Outside ip address 10.10.4.195 255.255.255.224 no ip directed-broadcast no ip route-cache no ip mroute-cache ip access-group 199 in duplex auto speed auto crypto map mymap ip access-list extended VPNC permit ip 192.168.224.140 0.0.0.3 192.168.2.0 0.0.0.255 ip access-list extended 199 permit tcp host any host 192.168.1.190 eq 3389 permit ip host 10.10.10.1 255.255.255.0 any _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]