Hi Jim, But I'm still not sure how it explains why adding a ROUTE Network Rule solves the problem. Since the Network Rules are evaluated from the top down, I would think that the NAT Network Rule would never trigger. So, in a publishing situation, if the ROUTE Network Rule is active, then the connection from the external host would have to be made to the actual public IP address of the SSH server, and then ISA would use its "port stealing" feature to grab the connection and forward it to the SSH Server. I'm so confused :) Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Saturday, May 13, 2006 10:21 AM To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing a SSH Server (The solution) According to RFC 4254, there are many instances where NAT could break SSH traffic. The protocol itself tolerates NAT just fine for the most part, but a few extensions to the base protocol don't. http://www.faqs.org/rfcs/rfc4254.html is your point of reference... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder Sent: Thu 5/11/2006 8:30 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing a SSH Server (The solution) Wow. that is really whack. I hope we can someday figure out why this works! Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Wilmar Perez Sent: Thursday, May 11, 2006 10:16 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing a SSH Server (The solution) Hello Tom No, I didn't have to delete the NAT rule. Right now it is working with the Route rule before the NAT rule, that is, the Route rule is higher. Thanks Wilmar All mail to and from this domain is GFI-scanned.