You've made the single most common mistake with DMZ setup; the DMZ NIC has to be a literal subnet, not just a selected range of IPs. Change the DMZ NIC mask to .192 or something even logically smaller, make sure the selected IPs fit in that range and carry those settings to the hosts in the DMZ. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG ----- Original Message ----- From: "Greg Frost" <gfrost@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, November 27, 2001 18:58 Subject: [isalist] Yet another DMZ question http://www.ISAserver.org I just finished Tom's book on ISA server configuration, and the firewall seems to be functioning well. However, I am having trouble configuring the DMZ in a 3 NIC configuration. The current setup is: NIC 1: ISA <-> Internet NIC 2: ISA <-> Private Network NIC 3: ISA <-> DMZ ISP Information: Netblock: 65.43.79.0/25 Subnet Mask: 255.255.255.128 Router: 65.43.79.126 Subnet Mask: 255.255.255.128 Available IP's 65.43.79.1-65.43.79.125 The NICs are configured as follows: NIC 1 (Internet Connection): IP: 65.43.79.100 Subnet Mask: 255.255.255.128 Router: 65.43.79.126 NIC 2 (Private Network): IP: 192.168.20.2 Subnet Mask: 255.255.255.0 Router: NONE NIC 3 (DMZ): IP: 65.43.79.101 Subnet Mask: 255.255.255.128 Router: NONE Off NIC 3, the DMZ NIC, there is a web server, but I am having trouble getting access to it from the internet. What NIC configuration should I have on the Web Server, and what kind of packet filter should I use? Specific examples would be great, my brain is completely fried from many overnight shifts. Thank you Greg ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')