Hi Constatinos, Yes, I did get it, but yesterday was more of CR2 with other lab's machines and "do your job anyway". Anyway, the answer is: ISA external NIC no obvious issues here; I forgot to as about your internal ISA NIC, though ISA DMZ NIC IP = <DMZ_IP> x.x.x.5 it should start higher, depending on the assigned mask GW = <empty> ok NM = <subnet of extGW> 255.255.255.128 it should be .192 or .224 or .240 or .248 DMZ Server IP = <DMZ_srvr_IP> x.x.x.6 This will depend on how you assign the DMZ mask GW = <ISA_DMZ__NIC> x.x.x.5 NM = <ISA_DMZ_NM> 255.255.255.128 This will depend on how you assign the DMZ mask Here's the deal with the DMZ settings; your DMZ has to be a subnet of the external ISA subnet. If you use the same netmask, it simply joins the ISA external subnet and you'll get IP spoofing errors. Your DMZ mask assignment will determine your DMZ IP options (remember that one of the IP's belongs to the ISA DMZ NIC): Mask IP Range .128 not valid for DMZ .192 .65 - .126 .224 .33 - .62 or .65 - .94 or .97 - 126 .240 .17 - .30 or .33 - .46 or .49 - .62 or .65 - .78 or .81 - .94 or .97 - .110 or .113 - .126 .248 .9 - .14 or .17 - .22 or .25 - .30 or .33 - .38 or .41 - .46 or .49 - .54 or .57 - .62 or .65 - .70 or .73 - .78 or .81 - .86 or .89 - .94 or .97 - .102 or .105 - .110 or .113 - .118 or .121 - .126 DMZ Server IE settings No proxy (empty the settings) ok ISA PF Here trying to implement the following packet filter i get the following message here IP protocol = TCP Direction = outbound Local port = All ports Remote port = Fixed, 80 local computer = "these computers (on the perimeter network)" After it tries to find the server in the DMZ (which happens due to NETBEUI that is installed on that DMZ WIN2k Server (please dont scream!!!)) it tells that it cant find the ip address allocated with that server. No screaming, just advising you to ditch NetBEUI. It's not supported by ISA and only serves to confuse during troubleshooting. If you fix your DMZ subnetting, I bet this error will go away. Remote Computer = All Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: cismic To: [ISAserver.org Discussion List] Sent: Thursday, August 09, 2001 9:51 PM Subject: [isalist] DNS Subnet question with DMZ http://www.ISAserver.org I also posted this to the message boards. Sorry for the duplication. Just thought I'd see if anyone was online tonight with some ideas. J Hello, I'm using 10.0.0.1 for illustration: I have 10.0.0.1/29 (8 IPs, 32 per C) as my ip address. IP'S .1 and .8 are being used by my ISP. .7 is assigned to my CISCO 776M ISDN router. That leaves me with 5 ip address to use. .2, .3, .4, .5, .6 EXT NIC 1. = .2 DMZ NIC 1. = .3 DMZ servers would be .4, .5, .6 If I split those into something like the following .4 sql .5 web .6 DNS I run out of address and won't be able to place my exchange server in the dmz. and Internal NIC private could be 10.0.1.0 Is there another method that will work just as well so I can publish my Exchange server? ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')