Dear John, There is no "official" description of a NAT based trihomed DMZ config. However, it can be done with a little elbow grease and ingenuity. I go over those scenarios in the ISA Server and Beyond book. Also, You never read my stuff anymore :( Check out: http://www.isaserver.org/tutorials/Configuring_VPN_Access_in_a_Back_to_B ack_ISA_Server_Environment.html HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx] Sent: Wednesday, October 30, 2002 5:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Stateful inspection http://www.ISAserver.org Are you saying that with a NAT based DMZ, ISA will then do stateful packet? Will it also then do stateful packet to a NAT based DMZ on a tri-homed? But if what you are suggesting, Internet | ISA1 | DMZ using NAT | ISA2 Internal Network with NAT Wouldn't that break a VPN between a node on the internet and ISA2? John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. La Habra, CA 90631 www.reliancesoft.com -----Original Message-----