I have a PIX 515 with VPNs to multiple PIX 506s in a hub and spoke format as well as some VPN clients. I am using Certificates for the PIX-PIX VPNs and Certs with XAUTH for the clients. All seems to work fine. I have noticed that when I add a remote PIX I must only edit my "nonat" access list on the HUB PIX to allow the new PIX to communicate through the VPN. I would have thought I would need to add more to the config (peer statements, crypto map instance, etc...) Can anyone clarify what I actually should have to add to the HUB PIX config in this situation?