I have a question about a unique configuration scenario I was hoping someone could help me with. I have an ASA5505. Eth0/7 is a member of VLAN1 and will be terminated and connected to a Cisco 2800 with a 16-port switch. All of the 2800's switch ports are on VLAN1. The IP Address for my ASA's VLAN1 is 10.36.106.59/24. Eth0/0 on my ASA terminates to a different network. Eth0/0 is a member of VLAN2. VLAN1 = outside VLAN2 = inside The IP Address of my VLAN2 is 192.168.1.1/24. I have this ASA configured to be a Remote Access VPN, but the unique part of this deployment is that the "inside" interface is the VPN tunnel interface. So, VPN clients will not be connected to the "outside" interface, but rather the "inside" interface. This is due to a strict FIPS 140-2 requirement over a wireless link. I have a DHCP pool configured for when clients successfully connect to the "inside" VPN interface. The pool is 172.16.1.1 - 172.16.1.10 with a subnet mask of 255.255.255.0. My question becomes, this application requires that the VPN clients on the 172.16.1.0/24 subnet get NAT'ed to the 10.36.106.59/24 address. Is there a way to do this such that the entire 172.16.1.0/24 subnet becomes statically NAT'ed to the 10.36.106.59/32 address? Currently, I can successfully connect a VPN client to the "inside" interface and the client will pull 172.16.1.1. If I terminate a device to the "outside" interface of my ASA, and assign that device to 10.36.106.60, when 10.36.106.60 sniffs traffic, ICMP echo requests are showing up from a source address of 172.16.1.1, so I know that the NAT is not configured correctly. I need the NAT to occur as described above because there will be devices on the 10.36.106.0/24 side of the network, on different subnets, that will not be able to route to 172.16.1.0/24 without manual static route entries being added. Any advice?