Actually, Luigi, his setup is not the tri-homed DMZ scenario you are referring to. He's got a back-to-back implementation, and public addresses are not required. I would first make sure that the internal firewall's default gateway is pointing to the external firewall's internal nic (192.168.10.9). If you can get access to the DMZ servers, than the internal firewall's LAT is probably okay. If not, remove 192.168.10.0 from it. ----- Original Message ----- From: "Luigi Grieco" <l.grieco@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, May 15, 2002 3:07 PM Subject: [isalist] Re: Internet & DMZ access from internal LAN http://www.ISAserver.org hi, directly from www.isasever.org: [...] "Trihomed DMZ Must Have Public IP Addresses The fact that the DMZ segment on a Trihomed DMZ must have public addresses can't be overstated. We see a lot of people who have problems constructing their DMZ because they try to use private addresses on the DMZ segment. All you accomplish by doing this is to create two internal network interfaces or an external network interface that cannot access internal or external resources. The DMZ must be configured as an external network interface. External resources are not trusted by the internal network. To configure the DMZ segment as an external network resource, you must NOT put IP addresses in the DMZ segment into the LAT. Only the internal network IP addresses are contained in the LAT." [...] you can look in the "Learning zone", they are a lot of articles very good! (thanks www.isaserver.org!!!!!) bye, gg -----Messaggio originale----- Da: rufyo@xxxxxxxxx [mailto:rufyo@xxxxxxxxx] Inviato: mercoledì 15 maggio 2002 19.51 A: [ISAserver.org Discussion List] Oggetto: [isalist] Internet & DMZ access from internal LAN http://www.ISAserver.org Hi there, i've some problems to configure my lan clients to access the internet through the internal firewall. The scenario is described below: i've configured a first Isa Server 2000 firewall with 3 nics, two connected with two separate internal lans and one connected with DMZ segment (with some servers) 10.16.2.1 -->Internal NIC1 192.168.10.1 DMZ NIC 10.16.3.1 -->Internal NIC2 on DMZ i've some servers configured with 192.168.10.x address family and a second firewall configured with two NICs: 192.168.10.9 --> DMZ NIC xxx.yyy.zzz.kkk ---> Internet NIC i've configured servers on DMZ to access the internet and published some of them (WEB,MAIL etc.) and all works fine. But i can't get access the internet from internal LANs. In which way i've to configure the internal firewall to access both the internet and dmz servers? Help would be appreciated. Thanks. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: l.grieco@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jschwarzkopf@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')