[ChrisA]

This is a strange one. Not sure if it belongs in the NAT group, SecureClient group, or a little of both. Anyway, I'm looking for some pointers on how I can handle the situation below.

When users are on the company's local network, they access an externally hosted app (say, 99.99.99.99) through a site-to-site VPN. All internal resources are HIDE NATted to one public address, say 1.1.1.1. Works fine. Note: the app is only accessible through the site-to-site VPN.

When these users are working remotely and they connect SecureClient with Office Mode, they want to access the external app. I can't put the app's addr in the encrypt domain, or the site-to-site won't work. I think the only way to do this is with some fancy natting: statically nat 99.99.99.99 to x.x.x.x, put x.x.x.x in the encrypt domain. Remote user accesses x.x.x.x, session comes through SecureClient VPN, hits firewall, dest is natted to 99.99.99.99, source is natted to 1.1.1.1, session goes out over site-to-site VPN tunnel.

Will this even work? Has anyone done it successfully? Is there a better way? We do not use automatic NAT; is that required to do this sort of double natting?