I have the following requirement: I have a customer who wants to setup a VPN connection using their hardware VPN appliance to our site to access resources in three internal servers. This VPN connection will be persistent. I want to make sure that the customer can only access those three servers and nothing else in the internal network. Likewise, I don't want none of my internal users has access to those three servers except four people. Also, one of those three servers will need to have access to an SQL server in the current internal network. My current network setup: I have a ISA 2000 that sits between public internet and internal network. There aren't any routers in the internal network. All internal clients and SecureNat serves directly connect to the ISA. I have only one ISA license. I was thinking about splitting the current internal network into two subnets (like 10.10.10.0/24 and 192.168.1.0/24) with a windows 2k or 2k3 router and setup packet filters on the interfaces. The 10.1.1.0/24 is current internal network. Add the new subnet ID 192.168.1.0/24 to the ISA LAT. I was thinking about placing customer's hardware VPN appliance outside of ISA and let the traffic through external NIC of ISA. The VPN appliance will have the preset IP numbers that I tell them. How do I make sure that any request from the customer only goes to the new subnet? If there is any simple approach, I would really appreciate your suggestion. Thanks TS --------------------------------- Do you Yahoo!? Yahoo! Mail - You care about security. So do we.