I have an odd situation. There are 200 clients on a /24 subnet that point to a router for their def-gateway. These clients and the router attach to a flat switched network. I need to provide layer-3 access control between the router and clients but I CAN NOT READDRESS ANYTHING. I can't re-IP the local router interface or change the client's IP or gateway. I'm trying to think of a way to do the ACL. I've thought of a 2-ethernet router stuck behind the router in bridging mode but I can't apply layer-3 ACLs on the bridge interfaces. Any solution with a Pix? I'm thinking along the lines of DNAT or NAT0 but can't make it work in my head...