There's only one reason I can think of that this would be required - SSH imbeds the client IP in the packets (much like IPSec)... I'll see what I can dig out of the RFC's... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder Sent: Thu 5/11/2006 8:30 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing a SSH Server (The solution) Wow. that is really whack. I hope we can someday figure out why this works! Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Wilmar Perez Sent: Thursday, May 11, 2006 10:16 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing a SSH Server (The solution) Hello Tom No, I didn't have to delete the NAT rule. Right now it is working with the Route rule before the NAT rule, that is, the Route rule is higher. Thanks Wilmar All mail to and from this domain is GFI-scanned.