> When you use 'match' to set options (e.g. nat-to) it does that for > for *subsequent* rules, it doesn't retrospectively loop back and > change addresses on a rule which has *already* been processed.
Yes I know that much. And as my pass rules care about the not-yet translated source addresses, they have to be before the match...nat-to rule. I am not sure I am getting your point, but anyway the original question has been dealt with so I am fine. Thanks again. William
