Cisco tech configured those lines when we first set up the router.

192.168.20.2 is the ip address of the internal Cisco interface (FA0/0)

192.168.20.1 is the external interface of the LNX server.

The ip pool for the VPN clients are 10.5.5.1 10.5.5.10 as I only really need 2 I could trim that down to 10.5.5.5.

Split tunneling is not neccessary, when the laptop user connects to the VPN we want them off of the network they are running the client from.

Sorry I do not understand #2 and #3 fully,  are you saying we need to exclude the the 192.168.5.0 from the ip pool subnet (10.5.5.0), why would you do that when what we're trying to do is access the 192.168.5.0 network or mainly just the TS server.

All our NAT statements are similar to:

ip nat inside source static tcp 192.168.20.1 110 203.161.81.22 110 extendable

re; #3 we have a setup where another location is accessing the TS server from a remote location and the LNX GW  has packets being directed from the 1841 to the TS server.  Wouldn't this be the same or do I have to specify that the packets coming from 1841 with ip address 10.5.5.0 are also to be directed to the TS server?

Thanks for your response, hope we can ge this configured.

Not sure why you need to configure "ip route 192.168.20.0  255.255.255.248 Dialer0", I would consider removing it if you don't need that line.

In regards to #2: do you have a dynamic nat statement? something like: "ip nat inside source list" or "ip nat inside source route-map". If you do, please share the nat statement as well as the access-list and/or route-map

In regards to #3: the linux gateway needs to have a route for 10.5.5.0/28 towards the router fa0/0 (192.168.20.2), if the linux gateway default gateway is not the router fa0/0.

I only know that the Cisco engineer had to put it there as I wasn't able to go outside without it.  The 192.168.20 network is the network from the LNX gw to the Cisco router as 20.1 is the LNX eth1 and 20.2 is the internal Cisco port FE0.

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.20.1 22 203.161.81.22 22 extendable
ip nat inside source static tcp 192.168.20.1 25 203.161.81.22 25 extendable
ip nat inside source static tcp 192.168.20.1 110 203.161.81.22 110 extendable
ip nat inside source static tcp 192.168.20.1 3389 203.161.81.22 3389 extendable
ip nat inside source static tcp 192.168.20.1 3390 203.161.81.22 3390 extendable
ip nat inside source static tcp 192.168.20.1 4899 203.161.81.22 4899 extendable
!
access-list 1 permit 192.168.20.0 0.0.0.7

The lnx gw is the router

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.20.0    *               255.255.255.252 U     0      0        0 eth1
192.168.5.0     *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.20.2    0.0.0.0         UG    0      0        0 eth1

jon

Based on this: "ip nat inside source list 1 interface Dialer0 overload", it seems like your linux gateway is also performing a PAT for all the internal subnet, because ACL 1 only includes 192.168.20.0/29

If the above is correct, you would need to configure the following:

1) On the router, create a new ACL:

access-list 171 deny ip 192.168.5.0 0.0.0.255 10.5.5.0 0.0.0.15

access-list 171 permit ip 192.168.20.0 0.0.0.7 any

ip nat inside source list 171 interface Dialer0 overload

no ip nat inside source list 1 interface Dialer0 overload

2) On the Linux gateway, you would also need to exempt the 192.168.5.0/24 subnet from being PATed when it's destined for 10.5.5.0/28 subnet.