> Hello, > > If all of server are NOT DMZ, then they can be assigned ( used ) Private > IP ? Okay, DMZ adds a layer of complexity but really has no bearing on the private IP range. What is it you are trying to accomplish? Your DMZ can be behind your NAT box but does not have to be. Some DMZ setups look something like this: Internet | | | v Border router | | | | | | v v DMZ1 DMZ2 DMZ3 ... | | | v Internal firewall | | | | | | v v Computer1 Computer2 Computer3 So, in this case, you can use either your border router or your internal firewall as your NAT box. Either will do but the border router might be a better choice. Of course your DMZ boxes should be single tasked. Therefore, each should only have 1 or so ports that are accessible from either your internal network or the Internet. There is much much more to this though. Like, your DMZ boxes should not be allowed to initiate connections, especially to your internal network. There should be no connections coming in to the internal firewall from the Internet or the untrusted network. Etc... -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.