We currently have a Cisco ASA 5510 setup with a DMZ for Citrix Secure Gateway Access. We are in the process of implementing new hardware/software and the vendor is requesting that we purchase an additional Cisco 2811 VPN router to create a tunnel for them to have access to the new servers. Their recommendation was to set the new router publicly in front of/separate from the ASA and then inside LAN connection would be connected to the DMZ behind the ASA 5510. By doing this, do we then need to configure NAT rules or static routes so that when traffic going through the 2811 falls in the 5510 DMZ there is a route to our corporate LAN for server access that is still secure? My initial question was why not just create a VPN tunnel using the ASA and eliminate the 2811 all together and not route anything through the DMZ?