I work for a small company with 5 branches. I have a frame connection to all the sites which connects to the central office where I am (hub and spoke). In the central office, I have set up a PIX firewall. Behind the firewall sits an exchange server and a new server which I plan on installing next week. I want to install a BDC that will have Symantec's I-gear/Mail-gear. This is an email and internet filtering product. I will place this behind the firewall. Here is what I want to do: 1) I want all the client PC to connect to the I-gear/Mail-gear server to access the internet. Of course I will static my own address and those that are nice to me to by-pass the proxy and go straight through the PIX. 2) I want to allow only certain traffic to go back in the pix from the outside. 3) I will need an inside and outside IP address on this server. Here is my proposed solution: 1) Install 2 network cards on the server and install the mentioned software. 2) Stop all traffic from being PATed across the PIX currently. Currently I have Nat (inside) 1 0.0.0.0 0.0.0.0 3) Add a new NAT to let out the BDC server machine. NAT (inside) 1 10.0.0.12 255.255.254.0 NAT (inside) 2 10.0.1.1 255.255.254.0 (my own PC for example) 4) Let the BDC out of the PIX Static (inside,outside)193.236.234.88 10.0.0.12 netmask 255.255.255.255 0 0 Conduit permit tcp host 193.236.234.88 eq smtp any Conduit permit tcp host 193.236.234.88 eq www any Conduit permit tcp host 193.236.234.88 eq pop3 any Conduit permit tcp host 193.236.234.88 eq 443 any 5) Change the gateway that they (the clients) are pointing (( right now it is router (10.0.0.1) that connects to the pix)) to, to point to the BDC server 10.0.0.12. I think that will work but I am very green when it comes to configuring these PIXes. I got lucky a few months ago when I did an IPSec tunnel between 2 PIXes and I would like to replicated that success. I would certainly appreciate some pointers before I go ahead and do this next week with my heart in my mouth and as I experience shortness of breath... not a good feeling :) Any comments would surely be appreciated. rgds, Manolito **************************************************************************** This message, including any attachments, is privileged and may contain confidential information intended only for the person(s) named above. Any other distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply email and permanently delete the original transmission from us, including any attachments, without making a copy. Thank you. *************************************************************************** _________________________________ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]