Routing and Remote access is setup on a box with ISA server in firewall mode. The VPN and Modem pool work great. I want the people that dial-in to be able to get back out and surf. Right now the only way I can get this to work is with the Firewall client. Here is the setup. Internal interface has static routes to everything. External interface has default gateway on it. RAS Users get private IP when they dial-in ie. 172.20.20.2-254 I have tried both selecting the RRAS as router w/lan and demand-dial routing, with remote access server always selected. I have setup a client access group with the IP's of my dial-in users, to allow all protocols, and all sites. (This is what lets my Firewall client users out, but doesn't let my RAS users be SNAT clients for some reason.) another option is I have a different ISA server that is my default gateway that the SNAT is working on, but if I remove my default gateway from the external interface of course the external VPN can't get it because it won't talk to the outside.. but Dial-in came get out through the other ISA server. Having a mental block, please help. Thanks JH