The goal is to replace a pair of Linux firewalls with a pair of ASA5520's. The problem is the way that the ISP hands us our connection. They handoff the connection using a private subnet (172.16.x.x). The Linux firewall then sends any packets destined to the servers using public IP addresses that the ISP supplies. It is like a reverse firewall in the sense that the "inside" interface is configured with a Public IP address and the "outside" interface is configured with a private IP address. The ISP routers know to forward the public IP's via their private subnet. A straight swap should work but it is the NAT that is the issue. NAT is tking place behind the firewalls via Load balancers. curently the ASA is running in parralel and is providing NAT to a few servers. If I were to replace the Linux boxes with the ASA's, I don;t think the current NAT setup will work. I would need to NAT private address (10.x.x.x) to it's public address (217.x.x.x) via the ISP's subnet (172.16.x.x). Is this possible?