In most of the networks I've worked with things have been small. So either there has been no DMZ or a very small one. In all of them all of the services were NAT'd to from External (public) IP's that lived on the firewall. So a web server would have an external IP on the firewall that simply had a port forward to its internal (private) ip. What i'm curious about is how in a large network does the DMZ work. If you have 30 web server 10 mail servers. Each of them needs to be placed in the DMZ? Is everything still NAT'd with ports forwarded thru to the servers? Or do the servers all get their own public IP? And if they do how do you get the trafic routed so it gets to the servers? I mean a ds-3 (or other line) comes in from the internet with a full public class C. It hits the firewall but how then does it get to the servers unless the firewall has all the IP's on its external side. I hope this makes since.