The easiest part is tunneling all your remote office traffic to the central office outside interface. Though it's not exactly recommended due to the high load it will put on your router, it could be done. Once the traffic reaches the PIX and is decrypted by it, the issue reduces to that of routing the traffic. That again can be achieved using simple static routes. Assuming that your Central office inside network is addresses 10.1.0.0 /24 (inside interface) and Remote office 10.2.0.0/24 (say DMZ1 or Remote Office 1), you could have a static route pointing in (route (inside) 10.1.0.0 255.255.0.0 10.10.10.2 ), another static route pointing to your remote office and finally a default to your internet on your outside interface. When it comes to the question of URL filtering, things start getting tricky. You would need to install a seperate server for that. Permitting all your remote office traffic to be filtered by a device on the inside interface of your central office is not a great idea. I guess a better thing to do would be to filter traffic from a given site locally.