Hi Stefaan, I went ahead and configured the DMZ as I described. The outside router is doing NAT, as you suspected, but I Only need to provide at tunnel between the outside router And one located on the DMZ - so there will be no NAT between The 2 routers. Got standard packet filters for ICMP and telnet working And will test ESP shortly. Thanks for your input. Regards, David Elmuist -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] Sent: 12. januar 2002 18:02 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DMZ with private IP adresses behind router Hi David, it's correct that in realworld life situations the external and dmz interfaces have usual public routable addresses. However nothing prevents you to use private addresses for test purposes. You'll have only to pay attention on the creating of the LAT. However, I assume that the router is doing NAT. If you want to test IPSEC/ESP from outside (through the router) this will not work due to the IPSEC problems with NAT. So, you will be limited to test IPSEC/ESP from the Router inside segment. Hope this helps, Stefaan -----Original Message----- From: David Elmquist [mailto:david@xxxxxxxxxx] Sent: zaterdag 12 januari 2002 14:43 To: [ISAserver.org Discussion List] Subject: [isalist] DMZ with private IP adresses behind router http://www.ISAserver.org Hello list I would like to create a DMZ net on my ISA, which is behind a router. The config would be something like this: Router outside: xxx.xxx.xxx.xxx routable IP address Router inside: 192.168.1.1/ 255.255.255.128 ISA external: 192.168.1.2 255.255.255.128 ISA DMZ: 192.168.1.129 255.255.255.128 ISA internal: 192.168.2.1 255.255.255.0 Would this be all right ? I realize, that in a standard setup, ISA would Have to use routable addresses on both external and DMZ networks. But in This setup, the DMZ addresses, would actually be routable to the gateway on 192.168.6.1 I need this setup, to test routing ESP protocol 50 traffic between outside And DMZ. Any comments on that will be appreciated. Regards, David Elmquist ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')