Hi Nigel, Protocol Rules have *no* effect on routing packets between the network and the pubic DMZ segment. HTH, Tom www.isaserver.org/shinder -----Original Message----- From: Nigel Carroll [mailto:nigel@xxxxxxxxxxxxxxx] Sent: Thursday, January 24, 2002 12:34 PM To: [ISAserver.org Discussion List] Subject: [isalist] DMZ perimeter network works withOUT a packet filter http://www.ISAserver.org I found that even when I had a packer filter defined all I could do was ping from PC (see below) which is normal due to the way ICMP is allowed when IP routing is enabled, so had to define a protocol filter to get web access. I then DISabled the Packet filter and to my surprise discovered that ISA does NOT block outward access from PC - all that is needed is a Protocol filter. This is contrary to doco I've read (in Tom's book) that says you should ONLY need a packet filter when using a perimeter network DMZ design like mine below. Am I missing something here or is this normal behaviour? Nigel internet | | External NIC ISA Server Internal NIC Priv IP Pub IP | | | | LAN PC with Pub IP ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')