Hey guys, wonder if the following scenario is possible with an ISA 2004... Central Site Remote Site #1 NetID #0 [Checkpoint] ----- Internet ----- [ISA2004] --- NetID #1 ! ! ! Remote Site #n ! +---------- [Juniper] --- NetID #n 1. The central site is the hub in a large hub-and-spoke VPN network. Each remote site need only to talk to the central site and not to another remote site. 2. All the services offered by the central site to the remote sites are reachable on Public IP addresses (NetID #0). So, no IP conflicts should be expected here. 3. Because the central site must be sure that there will never be an IP address conflict between the remote sites, they chose to allocate a fixed /28 NetID out of the IP range 198.18.0.0/15 to each remote site to be used inside the VPN tunnel as source address for the remote site. Note: they chose the IP range 198.18.0.0/15 because this block has been allocated for use in benchmark tests of network interconnect devices (cfr RFC2544 and RFC3330). So, this will very likely never conflict with any IP schema used at any remote site. 4. Because the NAT from the native remote IP's (NetID #n) to the central allocated IP's (/28 NetID out of the IP range 198.18.0.0/15) can only be done at the remote site, each remote VPN gateway/firewall must be able to perform source NAT on the outbound traffic before tunneling the traffic to the central site. Question: is this possible with ISA2004 as VPN gateway/firewall in a remote site? Of course it should work if we use the following design at the remote site but we hope to avoid the purchase of an extra VPN box: NetID #1 ----- [ISA2004] -----------+----- Internet ! ! +---[VPN Box] ---+ ^^^ /28 NetID out of the IP range 198.18.0.0/15 Best Regards, Stefaan