I am using ASA5505s in my small offices and an ASA5520 at my central sites. I have configured EZVPN network extension and everything is working perfectly. I now want to add another layer of security to this configuration. My understanding is the 5505 does not support 802.1x so that appears to be out. I don't want to add another layer of authentication to my users so individual authentication is out. One of my main concerns is a configured 5505 goes missing and before it is reported and disabled it would have full access to my inside network. I am thinking of trying to restrict the outside interface to only talk to the DSL router using a static ARP but it doesn't appear to work. Can this be done or can you suggest another method of locking down my configuration?