Hi You might have got the solution by now .. if not then read ..
When the packet leaves the router it will have the source address of its outgoing interface in the IP packet. Now this address is not part of the tunnel so it will be routed normally. You need to have the router send the packets with an address which is part of traffic permitted in the tunnel acl. For your specific tacacs application, on 2600 enter the command ip tacacs source-interface This interface can be the LAN side interface if its subnet is in the tunnel or you can create a loopback with such an address. You can find a similar command on PIX if you are trying to authenticate PIX across VPN. Hope that helps .. Majid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48974&t=10714 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]