A S2S VPN offers better security (encrypted tunnel, auth'd endpoints, etc.), but the basic route structure is simpler to construct and troubleshoot. Also, the S2S VPN offers the advantage of being a logical network within the ISA networking structure, while the routing structure can only use a subnet definition that ends up being a subset of the external network. Also, the S2S VPN may be dependent on the compatibility of the remote site with RRAS S2S VPN. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Friday, February 12, 2010 10:51 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Internal - external, both nat & route Jim, would you suggest point to point VPN for this instead? Or leave it as is? t From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, February 12, 2010 10:46 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Internal - external, both nat & route Yes, you can, but this assumes that: 1. The clients in your site use ISA as the last hop to the Internet 2. you and your ISP can define the proper routes. 3. You define the special network relationship higher than the default internal/external network rule Your ISP will have to use your ISA external IP as the route to your internal network From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Reimer, Mark Sent: Friday, February 12, 2010 8:14 AM To: ISAlist Subject: [isalist] Internal - external, both nat & route Hi folks, ISA 2004, standard, 3 legs: internal, DMZ, external Currently, I have a NAT between my internal and external. Works great. External is direct connect to ISP. We have an remote site that I would like to set up a permanent connection to, thus would like to route one set of addresses to/from the remote site, through ISA. Internet connection between, special routes done by ISP already taken care of. Main site: 192.168.128.x/23 Remote site: 192.168.3.x/24 Can I route (not NAT) traffic (just 192.168.3.x) from main site, heading to remote site, and all other traffic going from main site gets NAT'ed (like it is currently)? Thanks. Mark