Eric, my apologies for leading this post down a stray path. As a temporary inhabitant of one of your fine facilities there in 1998 which ultimately lead me to where I am now, I thank you. The most common reason for having another firewall in front of ISA is a DMZ scenario, where the zone between the 2 is the DMZ zone. Otherwise, ISA is perfectly capable of protecting the LAN from whatever evil lurks. I have a client in somewhat the same situation. The ISP provides the router, the old Novell network guys put the PIX in, and now there is now one to do the PIX. Plan is to yank the PIX, eBay it, and replace it with ISA. In the current setup, the router is configured with 2 static public IPs and a public IP pool to private IP pool. So when I tried to introduce a temporary SonicWALL between the 2 so I could connect to the servers, the users on the LAN were cut off because of the Many to Many NAT pool. My recommendation, if no DMZ is needed, yank the PIX. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -----Original Message----- From: Eric Poole [mailto:EPoole@xxxxxxxxxxxxxxxxxxxx] Sent: Friday, August 29, 2003 7:33 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Connection Issue http://www.ISAserver.org Wisecracks aside, what I'm getting at is that it seems that ISA is still being governed by our PIX. Question still remains, how many use ISA behind another firewall? ISA can handle itself without being behind one, so why would it be needed, especially if you didn't have any control over that firewall? Eric Poole IS Security Analyst <http://communitymedical.org/> Community Medical Centers 1140 "T" Street, Fresno, California 93721 559-459-6784 (phone) 559-459-2045 (fax) -----Original Message-----