Cisco Virtual Private Network (VPN) Client software 2.x.x, and 3.x before 3.6(Rel), when configured with all tunnel mode, can be forced into acknowledging a TCP packet from outside the tunnel.
https://exchange.xforce.ibmcloud.com/vulnerabilities/10047
http://www.securityfocus.com/bid/5651
http://www.cisco.com/warp/public/707/vpnclient-multiple2-vuln-pub.shtml