1) Yes, it's correct 2) You can use both the commands, the conduit command are more friendly but if you want to deny the outgoing traffic from the inside to the DMZ you mast use the outbound/apply command also. -----Original Message----- From: kvetch meifucan [mailto:[EMAIL PROTECTED]] Sent: gioved� 11 aprile 2002 19.12 To: [EMAIL PROTECTED] Subject: PIX NAT Question Here are two lines from a PIX config. global (dmz) 1 10.10.10.1 netmask 255.255.255.255 nat (inside) 1 192.168.0.0 255.255.255.0 0 0 Am I correct to understand that only the specified traffic from the Inside interface, 192.168.0.X will be NATed to the address 10.10.10.1 when it enters the DMZ? This is also to say that traffic from any other subnet, 192.168.1.X or even from the Outside interface won't be NATed. While I'm at it...Which is more recommended to use, Conduits or ACLs with PIX version 5.0(3)? And, can you use conduits to allow DMZ traffic to enter the Inside interface (such as a web server connecting to an internal database)? Much thanks, KM
