Hi all, I am trying to reconfigure my network so that it meets the following requirements: At present I have 2 sets of public IP addresses. I have a block of 2 addresses (/30), which is used for the inside address of the router, and the outside address of the firewall. I have another block of /28 (14 usable addresses), which is the inside of the firewall. There is no NAT. What I want to do is to get rid of the /30, and use one of the IP addresses in the /28 as the inside address of the Internet router, and then the firewall has the rest for the outside network. I will have an internal (inside) IP range of 192.168.1.x, and the firewall will NAT everything going out on that connection to the outside interface (using one IP address). I will have servers (specific IP addresses) on the inside network which I want natted to other static IP addresses on the outside network. There will be static NAT statements which do the same as port forwarding, but I want any connection that these machines make to come from specific external IP addresses. Here is my sketch configuration illustrating this. Will it work, or do I need to use policy NAT with ACLs? Thanks. Andrew. Router (Cisco 837) interface Ethernet0 ip address xx.xx.xx.209 255.255.255.240 interface Dialer0 ip address negotiated (receives WAN static) Firewall (ASA 5505) interface vlan2 nameif outside security-level 0 ip address xx.xx.xx.210 255.255.255.240 interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 global (outside) 1 interface global (outside) 2 xx.xx.xx.11-xx.xx.xx.222 netmask 255.255.255.240 nat (inside) 1 0 0 route outside 0.0.0.0 0.0.0.0 xx.xx.xx.209 1 (can this go in the outside interface definition?) access-group outside_access_in in interface outside access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 25 static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask 255.255.255.240 Thanks. Andrew.