NAT shouldn't affect accountability if you're auditing the logs properly. ISA logs every packet that it sees, so accountability becomes even stronger. Better that you use private IPs through NAT for two reasons: 1. no one can directly access your internal network from the Internet as it's not routable. 2. no one in the LAN can communicate with the Internet without NAT for the same reason ..no; you can't place ISA between your LAN and the Internet without using NAT. Even if you use public IPs internally, ISA will still translate between them. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Curtis Kline" <ckline@xxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, February 06, 2002 10:33 Subject: [isalist] Accountability with NAT http://www.ISAserver.org Here's my implementation scenario: In our higher education environment, network traffic accountability is important. We currently do not use Network Address Translation (NAT) for that reason... If someone is bad on someone's computer, we can determine quickly and easily (by IP address) whose computer it was and shut it down. SO, I have two questions: 1. Can we run ISA without NAT, and use public IP space inside (the internal public space would obviously be in the LAT.) ? If so, then we maintain accountability as we do today. 2. If we have to use NAT, and someone is bad, how do we match up some network traffic out on the Internet that appears to be coming from our ISA's external IP with an internal machine? Is there some kind of translation log that will help us with this? Let me know if these questions aren't clear.. I'd be happy to clarify. Thanks in advance for any help! Curtis Kline UC Santa Barbara ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')