If true (and I wouldn't doubt you Tom ;-) then my multihomed public/private internal NIC must be seen by ISA as one private network (even though public subnet not in LAT) since the protocol rule is DEFINITELY required before I can get anything out from my public DMZ subnet other than ICMP. Would you say that that is a possible explanation ie ISA is treating them as one private network? Nigel -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Friday, 25 January 2002 3:38 Subject: RE: DMZ perimeter network works withOUT a packet filter Hi Nigel, Protocol Rules have *no* effect on routing packets between the network and the pubic DMZ segment. HTH, Tom