Ok, can someone please help me? I know how to establish a site-2-site IPSEC VPN between an ISA 2004 Server and Cisco PIX and have successfully done this and it works fine. My problem is this; some background information may help here We have three sites that are all inter-connected via leased line connections Lower Marsh, London - 192.1.2.x /24 Worcester Park, Surrey - 192.1.1.x /24 Westminster Bridge Road, London - 192.1.5.x /24 There are internet connections in Lower Marsh and Worcester Park and we run ISA 2004 SE Servers in both of those locations and the way we have setup things is that Worcester Park internet traffic goes out via the Worcester Park ISA 2004 firewall and Lower Marsh & Westminster Bridge Road internet traffic goes out via the Lower Marsh firewall. The internal 'LAT' (I know Tom it is not a lat but somehow seems simpler to explain) contains all of the above IP ranges on both ISA 2004 servers and our internal Cisco routers use EIGRP to allow us to failover internal systems. Now we are trying to setup IPSEC VPN connections to a third party based in Houston and the only information about there network I have is that they are running a Cisco PIX. As I have already said above we have successfully managed to create a connection between the Lower Marsh site and the third party and this connection works fine. Now we also want to setup another IPSEC VPN connection from the Worcester Park site to the third party but obviously because the Worcester Park and Lower Marsh 'LAT' contains the same IP address ranges the IPSEC VPN will not establish as it needs to have unique ranges. My question is does anyone know can this be achieved at all, even if the third party was to buy in more equipment ? My first guess was for them to purchase a Cisco VPN Concentrator and then another Cisco PIX, and this would enable the Cisco PIX's to be the tunnel endpoints and thus my Lower Marsh site would connect to one and my Worcester Park site would connect to the other and this would get around the IP uniqueness, can anyone confirm or deny? Please can someone help me on this, as the third party is not being very helpful Regards Paul Crisp Snr Network Support Analyst