> I'm confused. Why not state what you want to do
> instead of what you think is not working?

I want to have 50-odd machines on my LAN hooked up to the T1. I want them firewalled and NAT'ed, which the PIX does. That all works great. In addition, I want a VPN. I had one which depended on having a separate subnet somewhere in the chain, which I no longer have.

> Did you mean you have a /24 subnet?
> Or does your subnet mask end with .240?

Sorry, that was a typo: it should be .240, which equals 16 or so addresses which the ISP is giving us.

> Generally the answer to this kind of question is NAT.

Heh. I got NAT up the wazoo. Where particularly in the chain did you have in mind to put it?

> Well, as long as the external world sees
> what it did before, your VPN will be fine.

The problem is, the external world used to see three different networks, and now it only sees one.

>So your internal network - lets say will be be 192.168.1.x
> - these go to some router - say a Linux box with a kernel
> that does iptables - having 2 NICs - the external NIC will
> be configured as one of the IP addresses your provider gave you...
> Can you now give some info about the VPN and how it was connected before?

The thing I think I'm not making clear is that I don't want ALL of the traffic to go through the VPN box--I want it to continue to be a 'back door' into the LAN, mostly because I want the normal traffic to go through hardware (like the PIX), not software (like a Linux box). Obviously there's HW and SW on both, but I think you understand what I mean.

The VPN used to bridge its virtual ethernet tap device with the internal NIC. AFAICT, it can't work if both the external and internal NICs are on the same network. So I need an 'external' network now. The only network I have besides the Nat'ed internal one (192.168.0.0) is the set of IP's the ISP is doling out--problem is, there's only one ethernet jack on their router, and that goes straight into the WAN jack on the PIX router that we own. So I think I'll try putting them both on a hub I've got lying around and see if I can get all three devices (the ISP's router/gateway, the PIX, and my VPN's external NIC) on the same network.

Since the diagram explains best, I think. The VPN had 2 NIC's: one on the internal network (192.168.0.0) and one on the network which existed between the two DSL routers (172.16.0.0, IIRC). In addition, since it was running an ethernet bridge, it had a virtual NIC (a tap device), which was bridged to the internal NIC. The bridged ethernet was set up per [link|http://openvpn.sourceforge.net/bridge.html|http://openvpn.sourc...e.net/bridge.html]

\n                DSL     DSL 66.126.207.234\n 66.126.207.242   \\    /\n                  Router      DSL 63.200.221.34\n       172.16.0.1 |     \\    /\n                  |     Router\n                  |        |  10.0.0.8\n                  |        |\n      172.16.0.16 |        |  10.0.0.5\n                  VPN    PIX 506\n    192.168.0.251 |        |  192.168.0.110\n                  |        |\n              (3) 10/100 switches\n                |  |  |  |  |  |\n          LAN computers on 192.168.0.x\n               clients and servers\n

Plus a wireless hub in that 172.16.x.x network that I left out for clarity. :)

\n               __Dumb  Hub__\n                /    |     \\\n 64.73.226.17  /     |      \\ 64.73.226.18  /\n   T1 GW (Adit)      |      Wireless Router--WLAN Clients\n                     |       | 192.168.3.1  \\\n                     |       |\n        64.73.226.19 |       | 192.168.3.3\n                    PIX    OpenVPN\n       192.168.0.110 |       | 192.168.1.251\n                     |       |\n                 (3) 10/100 Switches\n                   | | | | | | | |\n               LAN clients and servers\n

Someday Real Soon Now I'm going to switch the innermost network (on the bottom) to 10.x, just need time.