Yes, Bob, your ISP is correct is the short answer. What I would do as a starting point is to look at the IP addresses and subnet mask they have given you. Work out the size of the subnet they have allocated you and all the possible IPs in that block. Discount the network and broadcast addresses, then make a note of the IP in the block you're using for your main firewall interface and then the IP they have give you as a gateway. Whatever IPs left should be free for you to use, assuming they've not used any more and not told you. You can then create policy objects with IPs from the range and then create NAT rules to forward the traffic into your network. Once the NAT rule is in place, the firewall will automatically respond to traffic destined for that IP. No extra configuration is required at the interface level. Your NAT rule would be something like: Soure Zone: Internet Dest Zone: Internet Source Address: Any Dest Address: [policy object with ext ip you want to use] Service: Any Source Trans: None Dest Tran: [policy object of internal device using internal IP] The source and destination zone both being Internet / Untrust is the bit that can trip people up. It's because from the point of view of the external user they are making contact with you an external, public IP and technically they don't know it's destination is internal or going to get NAT'd. Hope that all makes sense! UKRB.
... View more