I have an interesting VPN/Network/Firewall within a network issue to figure out and I am looking for suggestions. A machine service contract states that I need to give the manufacture access to their machine. They have a Cisco PIX that they want to create a VPN to their main location. The problem is the device is 1000 feet away from any direct incoming line. There is network in the area (though I will still need a hardwired drop since its wireless in te area) but that’s all behind my firewall with non-routable addresses. I thought of forwarding ports, but that means they will be on our network, or does it??? If I foward the ports needed from their static IP to their PIX and setting the PIX on its own subnet... 220.127.116.11 - Manufacture's external IP 18.104.22.168 - My external IP address 10.1.1.1 - Internal side of my firewall forwarded to 10.1.1.2 - external side of PIX 192.168.1.1 Inside side of PIX (Obviously IP's are faked for example and only needed ports will be forwarded) The other idea is to segment a port on the switches but its 3 hops within my network. Having one port down the route on the switches. But I really do not want to manage that... (I have enough trouble keeping track of the ports on the switches - 9 major switches(Cisc0 6500, 4500's) - 3 minors(2950 class) 500+/- ports) Not to mention I have never done an isolated port on these switches and I do not have any spare ports to use... Thoughts/Ideas???