OK, i've been through the previous posts, and everyone must be getting
tired of reading the same things, but...

.... Server Config is a NW6, with SP5; TCP stack v6.09a, BM3.8 with SP2a;
eDirectory, iManager 2.0.2. (NAT.NLM is v7.00.07).
Public address: 206.xxx.yyy.zzz
Private address: 10.0.aaa.bbb
VPN Tunnell:
NAT Implicit filtering = DISABLED; Static and Dynamic NAT set, with static
NAT of 10.0.aaa.bbb->10.0.aa.bbb.

.... BM Config
Trust Server CA created; certificate exported; issuer created.
Client to Site enabled, using config below.

.... VPN C2S Config
All communication using 3DES, SHA1
IP Address Range:
Traffic Rules: Encrypt all IP protocols (IPX not used in the
environment) to network 10.0.xxx.yyy/; only 1 certificate user
defined, during install/config/tuning. (Default is to bypass outside the
10.0.aaa.bbb networks).
Authentication Rules: Only 1 certificate user defined, during
install/config/tuning; Allow Certificate Authentication/Use trust server CA
DNS/SLP defined for internal DNS and SLP servers

.... Client config
WinXP SP1; C32 v4.90SP1b
Using static IP; connected outside the firewall, but on a different
subnet than the BM public address.
User certificate (Public/private key kad been successfully exported)
used for authentication. Certificate shows good.
BM public IP address used for the VPN host.

.... Problem:
As discussed many times here, I can successfully establish the VPN
tunnel. Unlike in all previous discussions, I cannot ping any of the
internal addresses - Nothing from the 10.0.aaa.bbb segment; nothing from
within the VPN tunnell; not the BM private address.

Suggestions as to what I may be missing?