We have a client who needs to establish a IPSEC VPN back to a CheckPoint firewall. The people who control the Checkpoint don't want to establish a traditional VPN. They are requiring a VPN, but all of the traffic going across the VPN tunnel is NAT'd; all of the traffic sent to them is seen coming from the external IP address of the PIX and not from the Internal network behind the PIX. When the client is accessing a web based application "behind" the Checkpoint, they are told to use a public IP address.