I am working with another company to set up a VPN connection TO a single host server FROM my network. The final proposed design from the other company is to run a 3005 on my network, a 3002 on their network, set up for network extention mode. To use their host server, we start the vpn session on the 3005. The 3005 hangs off of an interface on my firewall which is doing NAT/PAT of all internal addresses out to a single 172.18.250.35 address before handing traffic off to the 3005. The 3005 is then connected to the internet with a registered public address. No other internet traffic goes through the 3005. The 3005 on my network (should) then brings up the tunnel across the internet to the other network. On the other network, I am to supply them with six IP addresses that I am not using on my network (172... or 192.168..) so they can configure their network to look like an extention of my network. So any PC on my network accessing the host on the other end of the vpn would point to some 172. or 192.168. host address. A static route on the inside of my network points that packet to the firewall, the firewall routes the packet out its 172.18.250.1 interface to the inside interface on the 3005, the 3005 tunnels to the other company's registered 63.2x.x.x address on their 3002, with my registered 206.2x.xx.x as the tunnel source (public side of my 3005). The packet arrives at the 3002, is unencrypted on their network with my 172.18.250.35 as a source address detination of their server. Their server sends a return packet to the original 172.18.250.35 source address, their 3002 picks it up, encrypts it, and sends it to my 3005. I think this is wrong and backwards. Is this the right way to set up a 3005 to 3002 VPN? Are there any security risks with this? Is there a better way? NOTE that my network has multiple subnets behind my firewall, 172.18.1.x, 172.18.2.x, 192.168.1.x, etc. All subnets on my network need to access the single host at the other end of the vpn tunnel. THANK YOU.