We have a client with three PIX 501's in remote sites, coming into a 515 at the HQ. Because of web filtering, we'd like to force all the remote traffic to go through the VPN to the 515, and be serviced at HQ. According to what we've been told at Cisco, this can't be done without putting a router at each endpoint. With WatchGuards, this would be no problem, so it's rather hard to believe that Cisco can't accomplish the same thing. Any ideas?